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Abstract. In this paper|^we investigate bounded action theories in the situation 
calculus. A bounded action theory is one which entails that, in every situation, 
the number of object tuples in the extension of fluents is bounded by a given 
constant, although such extensions are in general different across the infinitely 
many situations. We argue that such theories are common in applications, either 
because facts do not persist indefinitely or because the agent eventually forgets 
some facts, as new ones are learnt. We discuss various classes of bounded action 
theories. Then we show that verification of a powerful first-order variant of the p- 
calculus is decidable for such theories. Notably, this variant supports a controlled 
form of quantification across situations. We also show that through verification, 
we can actually check whether an arbitrary action theory maintains boundedness. 


1 Introduction 

The situation calculus 064I73II is a well-known first-order formalism with certain 
second-order features for representing dynamically changing worlds. It has proved to 
be an invaluable formal tool for understanding the subtle issues involved in reasoning 
about action. Its comprehensiveness allows us to place all aspects of dynamic systems 
in perspective. Basic action theories let us capture change as a result of actions in the 
system im, while high-level languages such as Golog ll58l and ConGolog ll26l support 
the representation of processes over the dynamic system. Aspects such as time Gl, 
knowledge and sensing llTSll . probabilities and utilities ifT^ . and preferences ifT^ . have 
all been addressed. 

The price of such a generality is that decidability results for reasoning in the sit¬ 
uation calculus are rare, e.g., Il85]l for an argument-less fluents fragment, and ll49l for 
a description logic-like two-variable fragment. Obviously, we have the major feature 
of being able to rely on regression to reduce reasoning about a given future situation 
to reasoning about the initial situation GS. Generalizations of this basic result such 
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as just-in-time histories ll^ can also be exploited. However, when we move to tem¬ 
poral properties, virtually all approaches are based on assuming a hnite domain and a 
finite number of states, and often rely on propositional modal logics and model check¬ 
ing techniques 161621 . There are only few exceptions such as II22I31I81I . which develop 
incomplete fixpoint approximation-based methods. 

In this paper, we present an important new result on decidability of the situation 
calculus, showing that verification of bounded action theories is decidable. Bounded 
action theories are basic action theories ca, where it is entailed that in all situations, 
the number of object tuples that belong to the extension of any fluent is bounded. In 
such theories, the object domain remains nonetheless infinite and an infinite run may 
involve an infinite number of objects, though at every single situation the number of 
objects we predicate on is finite and, in fact, bounded. 

But why should we believe that practical domains conform to this boundedness 
assumption? While it is often assumed that the law of inertia applies and that fluent 
atoms persist indefinitely in the absence of actions that affect them, we all know that 
pretty much everything eventually decays and changes. We may not even know how the 
change may happen, but nevertheless know that it will. Another line of argument for 
boundedness is epistemic. Agents remember facts that they use and periodically try to 
confirm them, often by sensing. A fact that never gets used is eventually forgotten. If a 
fact can never be confirmed, it may be given up as too uncertain. Given this, it seems 
plausible that in several contexts an agent’s knowledge, in every single moment, can be 
assumed to be bounded. While these philosophical arguments are interesting and relate 
to some deep questions about knowledge representation, one may take a more pragmatic 
stance, and this is what we do here. We identify some interesting classes of bounded 
action theories and show how they can model typical example domains. We also show 
how we can transform arbitrary basic action theories into bounded action theories, ei¬ 
ther by blocking actions that would exceed the bound, or by having persistence (frame 
axioms) apply only for a finite number of steps. Moreover we show that we can effec¬ 
tively check whether any arbitrary theory with a bounded initial situation description 
remains bounded in all executable situations (to do so we need to use verification). 

The main result of the paper is that verification of an expressive class of first- 
order /i-calculus temporal properties in bounded action theories is decidable and in fact 
EXPTIME-complete. This means that we can check whether a system or process spec¬ 
ified over such a theory satisfies some specification even if we have an infinite domain 
and an infinite set of situations or states. In a nutshell, we prove our results by focussing 
on the active domain of situations, i.e., the set of objects for which some atomic fluent 
holds; we know that the set of such active objects is bounded. We show that essentially 
we can abstract situations whose active domains are isomorphic into a single state, and 
thus, by suitably abstracting also actions, we can obtain an abstract finite transition 
system that satisfies exactly the same formulas of our variant of the /i-calculus. 

This work is of interest not only for AI, but also for other areas of computer science. 
In particular it is of great interest for the work on data-aware business processes and 
services 053I45I38L Indeed while there are well-established results and tools to analyze 
business processes and services, without considering the data manipulated, when data 
are taken into account results are scarce. The present work complements that in, e.g.. 








II36I4I9I5I10L and hints at an even more profund relevance of the situation calculus 
in those areas 1^ . More generally, our results can be recast in other reasoning about 
action formalisms, both in AI and in CS. 

The rest of the paper is organized as follows. In Section]^ we briefly review the sit¬ 
uation calculus and basic action theories. Then in Sectionj^we define bounded action 
theories. Following that in Section]^ we discuss various ways of obtaining bounded ac¬ 
tion theories, while showing that many practical domains can be handled. In Section]^ 
we introduce the /xLp language that we use to express first-order temporal properties 
and its semantics. After that, we show that verification of p,Lp properties over bounded 
action theories is decidable, first in the case where we have complete information about 
the initial situation in Section]^ and then in the general incomplete information case in 
Section]^ Then in Section]^ we characterize the worst-case computational complex¬ 
ity of the problem as EXPTIME-complete. In Section[9j we give a technique based on 
our verification results to check whether an arbitrary basic action theory is maintains 
boundedness. In Section 10 we review the related literature. Einally, in Section 11 we 
conclude the paper mentioning topics for future work. 


2 Preliminaries 

The situation calculus 1641731 is a sorted predicate logic language for representing and 
reasoning about dynamically changing worlds. All changes to the world are the result of 
actions, which are terms in the language. We denote action variables by lower case let¬ 
ters a, action types by capital letters A, and action terms by a, possibly with subscripts. 
A possible world history is represented by a term called a situation. The constant Sq 
is used to denote the initial situation where no actions have yet been performed. Se¬ 
quences of actions are built using the function symbol do, where do{a, s) denotes the 
successor situation resulting from performing action a in situation s. Besides actions 
and situations, there is also the sort of objects for all other entities. Predicates and func¬ 
tions whose value varies from situation to situation are csWtd fluents, and are denoted 
by symbols taking a situation term as their last argument (e.g., Holding{x, s), mean¬ 
ing that the robot is holding object x in situation s). Eor simplicity, and without loss of 
generality, we assume that there are no functions other than constants and no non-fluent 
predicates. We denote fluents by F and the finite set of primitive fluents by F. The ar¬ 
guments of fluents (apart from the last argument which is of sort situation) are assumed 
to be of sort object. 

Within this language, one can formulate action theories that describe how the world 
changes as the result of the available actions. Here, we concentrate on basic action 
theories as proposed in II 661731 . We also assume that there is aflnite number of action 
types. Moreover, we assume that there is a countably infinite set of object constants Af 
for which the unique name assumption holds. But we do not assume domain closure for 
objects]^ As a result a basic action theory V is the union of the following disjoint sets 
of first-order (EO) and second-order (SO) axioms: 

^ Such an assumption is made in im, where standard names (57) are used to denote objects. 

Thus, the results here generalize those in ill. 











- Vq. (FO) initial situation description axioms describing the initial configuration of 
the world (such a description may be complete or incomplete); 

- T^poss- (FO) precondition axioms of the form 


PoSs{A{x), s) = s), 


one per action type, stating the conditions 4>a{x, s) under which an action A{x) 
can be legally performed in situation s; these use a special predicate Poss{a, s) 
meaning that action a is executable in situation s; (j)A{x,s) is a formula of the 
situation calculus that is uniform in situation s, that is, a formula that mentions 
no other situation term but s and does not mention Poss (see ca for a formal 
definition); 

- 'Dgga'- (FO) successor state axioms of the form 


F{x,do{a,s)) = (j)F{x,a, s), 


one per fluent, describing how the fluent changes when an action is performed; the 
right-hand side (RHS) fpix, a, s) is again a situation calculus formula uniform in 
s; successor state axioms encode the causal laws of the world being modeled; they 
take the place of the so-called effect axioms and provide a solution to the frame 
problem; 

- T>ca- (FO) unique name axioms for actions and (FO) domain closure on action 
types; 

- F>uno- (FO) unique name axioms for object constants in JV', 

- S: (SO) foundational, domain independent, axioms of the situation calculus Il66l . 

We say that a situation s is executable, written Executable{s), if every action performed 
in reaching s was executable in the situation in which it occurred. 

One of the key features of basic action theories is the existence of a sound and 
complete regression mechanism for answering queries about situations resulting from 
performing a sequence of actions 066173II . In a nutshell, the regression operator TZ* 
reduces a formula f about a particular future situation to an equivalent formula TZ* [f] 
about the initial situation Sq, by basically substituting fluent relations with the right- 
hand side formula of their successor state axioms. Here, we shall use a simple one-step 
only variant TZ of the standard regression operator TZ* for basic action theories. Let 
(j){do{a, s)) be a formula uniform in the situation do{a, s). Then TZ[(j>{do{a, s))] stands 
for the one-step regression of f through the action term a, which is itself a formula 
uniform in s. 

3 Bounded Action Theories 

Let 6be some natural number. We use the notation \{x \ (/)(a:)}| > b, meaning that there 
exist at least b distinct tuples that satisfy to stand for the following FOL formula: 









We also use the notation \{x \ 4){x)}\ < b, meaning that there are fewer than b distinct 
tuples that satisfy (p, to stand for; | 4>{x)}\ > b). 

Using this, we define the notion of a fluent F{x, s) in situation s being bounded by 
a natural number b as follows: 

Boundedp_i,{s) = \{x \ F(a;,s)}| < b, 

i.e., fluent F is bounded by b in situation s if there are fewer than b distinct tuples in the 
extension of F in situation s. 

The notion of situation s being bounded by a natural number b is defined as follows: 

Boundedb{s) = ^ Boundedpj,{s), 

i.e., every fluent is bounded by b in situation s. 

We say that an action theory T) is bounded by b if every executable situation is 
bounded by b, formally; 

V 1= \/s.Executable{s) D Boundedb{s). 

Example 1. Consider a warehouse where items are moved around by a robot (a similar 
example is formalized in lOOll l. There are k storage locations where items can be stored. 
There is also a shipping dock where new items may arrive and stored items may be 
shipped out. We can axiomatize this domain as follows. 

We have the following action precondition axioms]^ 

Poss{move{x, I, I'), s) = At{x, I, s) A IsLociJ,') A -^3yAt{y, I', s) 
Poss(arrive{x), s) = —'3yAt{y, ShipDock) A —'3lAt{x, I, s) 

Poss(ship{x), s) = At{x, ShipDock, s) 

The first axiom says that in situation s, the robot can perform action move{x, I, I'), i.e., 
move object x from location I to V, if and only if a: is at Z in s and I' is a location where 
no object is present in s. The second precondition axiom says that action arrive{x) is 
executable in situation s, i.e., object x may arrive at the warehouse in s, if and only 
if the shipping dock is empty and x is not somewhere else in the warehouse. The last 
axiom says that object x can be shipped in situation s if it is at the shipping dock in s. 
For the fluent At, we have the following successor state axiom: 

At{x, I, do{a, s)) = j(x, I, a, s)+ V At{x, I, s) A -> 7 “ {x, I, a, s), 

where 

7 +(a;, I, a, s) = 3r.a = move{x, V, 1) A At{x, I', s) A IsLoc(l') A —l3yAt(y, I, s) 

V a = arrive(x) A I = ShipDock and 

7 “ {x, I, a, s) = 31'.a = move{x, 1,1') A I' ^ I A IsLocll') A -AyAtijj, I', s) 

V a = ship(x) A At{x, ShipDoc, s) 

^ Throughout this paper, we assume that all free variables in a formula are implicitly universally 
quantified from the outside. Occasionally, to be clear, we will write Sip to denote the universal 
closure of p explicitly. 



This says that object x is at location I in the situation that results from doing action a in 
s if and only if ^{x, I, a, s)“*’ holds or if x is already at Z in s and 7 “ (x, I, a, s) doesn’t 
hold. 7 (x, I, a, s)’*' specifies the conditions under which action a makes object x be at 
location I in situation s, i.e., if a is to move x to a free location I from another location 
I' where x was in s, or a is x arriving and I is the shipping dock. 7 “ (x, Z, a, s) specifies 
the conditions under which action a makes object x cease to be at location Z in situation 
s, i.e., a is to move x to a different location that is free, or is to ship x. 

We specify the initial situation with the following initial state axioms; 

-^At{x,l,So) 

IsLocil) = Z = ShipDock V Z = SLi V ... V Z = SL^ 

We also have unique name axioms for the locations. For clarity, we make IsLoc a non¬ 
fluent predicate, although it is easy to recast it as a fluent that is unaffected by any 
action. 

It is not difficult to show that this theory is in fact bounded by fc + 1. First note that 
there are Zc -f 1 locations initially and the set of locations never changes, so IsLoc is 
bounded by Zc -f 1. For fluent At, it is initially bounded by 0, but the arrive action can 
augment its extension. However, the action theory ensures there can be at most one item 
at each of the k + 1 locations. Thus At remains bounded by A: +1. Therefore, the theory 
is bounded by A: + 1. 

Observe that, as there are infinitely many constants denoting distinct objects, effec¬ 
tively an unbounded number of items may be handled by subsequent arrive, move, 
and ship actions. Despite this, the theory remains bounded. 

We shall see that for bounded action theories, verification of sophisticated temporal 
properties is decidable. 

4 Obtaining Bounded Action Theories 

Before focusing on verification, in this section we look at various interesting sufficient 
conditions that guarantee that a basic action theory is bounded. Later in Section]^ we 
will see that it is actually possible to use verification itself to check whether any arbitrary 
basic action theory, with a bounded initial situation description, is indeed bounded. 

4.1 Bounding by Blocking 

We observe that the formula Boundedb{s) is a FO formula uniform in s and hence it is 
regressable for basic action theories. This allows us to introduce a first interesting class 
of bounded action theories. Indeed, from any basic action theory, we can immediately 
obtain a bounded action theory by simply blocking the execution of actions whenever 
the result would exceed the bound. 

Let I? be a basic action theory. We define the bounded basic action theory Vb by 
replacing each action precondition axiom in V of the form Poss{a{x), s) = s) 
by a precondition axiom of the form 

Poss{a{x),s) = <P(x, s) A TZ[Boundedb{do{a{x), s))] 


( 1 ) 



Theorem 1. Let D be a basic action theory with the initial description Vq such that 
Vq ^ Boundedb{So), for some b, and let Vi, be the basic action theory obtained as 
discussed above. Then, Vi, is bounded by b. 

Proof. By Q it is guaranteed that any executable action leads to a bounded situation. 
Hence by induction on executable situations, we get the thesis. 

Example 2. Suppose that we have a camera on a smart phone or tablet computer. We 
could model the storage of photos on the device using a fluent PhotoStored{p, s), 
meaning that photo p is stored in the device’s memory. Such a fluent might have the 
following successor state axiom: 

PhotoStored{p, do{a, s)) = a = takePhoto(p) 

V Photo Star ed{p, s) A a 7 ^ deletePhoto{p) 

We may also assume that action takePhoto{p) is always executable and that 
deletePhoto{p) is executable in s if p is stored in s: 

Poss{takePhoto{p), s) = True 
Poss{deletePhoto{p), s) = PhotoStored{p, s). 

Now such a device would clearly have a limited capacity for storing photos. If we 
assume for simplicity that photos come in only one resolution and file size, then we 
can model this by simply applying the transformation discussed above. This yields the 
following modified precondition axioms: 

Poss(takePhoto(p), s) = 

|{p' I PhotoStored{p', s)}\ <b—l 

Poss{deletePhoto{p), s) = PhotoStored{p, s) A 
|{p' I PhotoStored{p', s)}\ <6+1. 

Note how the condition on on the right hand side of the first axiom above ensures there 
are fewer than b photos stored after the action of taking a photo p occurs. Clearly, the 
resulting theory is bounded by b (assuming that the original theory is bounded by b in 

So)- 

Note that this way of obtaining a bounded action theory is far from realistic in mod¬ 
eling the actual constraints on the storage of photos. One could develop a more accurate 
model, taking into account the size of photos, the memory management scheme used, 
etc. This would also yield a bounded action theory, though one whose boundedness is a 
consequence of a sophisticated model of memory capacity. 

Example 3. Let’s extend the previous example by supposing that the device 
also maintains a contacts directory. We could model this using a fluent 
InPhoneDir{name, number, photo, s), with the following successor state axiom: 

InPhoneDir{na, no,p, do{a, s)) = 

a = add{na,no,p) V InPhoneDir{na,no,p, s) A 
a deleteN ame{na) A a delete Number {no) 


We could then apply our transformation to this new theory to obtain a bounded action 
theory, getting precondition axioms such as the following; 

Poss{add{na,no,p), s) = PhotoStored{p, s) A 
\{p' I PhotoStored{p', s)}\ <bA 
\{{na,no,p) \ InPhoneDir{na,no,p, s)}\ <6—1 

The resulting theory blocks actions from being performed whenever the action would 
result in a number of tuples in some fluent exceeding the bound. 

We observe that this kind of bounded action theories are really modeling a capacity 
constraint on every fluent^ which may block actions from being executed. As a result, 
an action may be executable in a situation in the original theory, but not executable in 
the bounded one. Thus an agent may want to “plan” to find a sequence of actions that 
would make the action executable again. In general, to avoid dead-ends, one should 
carefully choose the original action theory on which the bound is imposed, in particular 
there should always be actions that remove tuples from fluents. 

4.2 Effect Bounded Action Theories 

Let’s consider another sufficient condition for boundedness. Without loss of generality 
we can take the general form of successor state axioms to be as follows: 

F{x, do{a, s)) = 'Pp{x, a, s) V {F{x, s) A a, s)) 

We say that fluent F is effect bounded if: 

|{at I $+{x,a,s)}\ < \{x I <p-{x,a,s)}\, 

i.e., for every action and situation, the number of tuples added to the fluent is less than 
or equal to that deleted. 

We say that a basic action theory is effect bounded if every fluent F G F is effect 
bounded. 

Theorem 2. Let P be an effect bounded basic action theory with the initial situation 
description Vq such that Vq ^ Boundedi,{SQ), for some b. Then P is bounded by b. 

Proof. By induction on executable situations. 

Example 4. Many axiomatizations of the Blocks World are not effect bounded. For 
instance, suppose that we have fluents OnTable{x, s), i.e., block x is on the table in 
situation s, and On{x, y, s), i.e., block x is on block y in situation s, with the following 
successor state axioms: 

OnTable{x, do(a, s)) = a = moveToTable(x) 

V OnTable{x, s) A -^3y.a = move(x, y) 

On{x, y, do{a, s)) = a = move{x, y) V On{x, y, s) A 
-Piz.[z y Aa = move(x, z)) A a moveT oT able{x) 

^ The bound b applies to each fluent individually, so the total number of tuples in a situation is 
bounded by | J^|6. Instead, one could equivalently impose a global capacity bound on the total 
number of tuples for which some fluent holds in a situation. 



Then, performing the action moveToTable{Bl) will result in a net increase in the 
number of objects that are on the table (assuming that the action is executable and that 
B1 is not already on the table). Thus, fluent OnTable is not effect bounded in this 
theory. 

However, it is easy to develop an alternative axiomatization of the Blocks World that 
is effect bounded. Suppose that we use only the fluent On{x, y, s) and the single action 
move{x,y), where y is either a block or the table, which is denoted by the constant 
Table. We can axiomatize the domain dynamics as follows: 

On{x, y, do{a, s)) = a = move{x, y) 

V On{x, y, s) A ^ y A a = move{x, z)) 

That is, X is on y after action a is performed in situation s if and only if a is moving 

X onto 2/ or X is already on y in situation s and a does not involve moving x onto an 

object other than y. We say that move{x, y) is executable in situation s if and only if x 
is not the table in s, x and y are distinct, x is clear and on something other than y in s, 
and y is clear unless it is the table in s: 

Poss{move{x, y),s) = x ^ Table A x ^ t/ A —^3z.On{z, x, s) A 

3z.{z y A On{x, z, s)) A {y = Table V —TiZ.On^z, y, s)) 

Then it is easy to show that any occurence of moveix, y) in a situation s where the 
action is executable, adds (x, y)toO = {{x', y') \ On{x', y', s)} while deleting (x, y”) 
for some y" s.t. y" ^ y, leaving |0| unchanged. Note that we must require that x 
be on something in the action precondition axiom to get this. Any action other than 
move{x, y) leaves O unchanged. Thus On is effect bounded. 

The precondition that x be on something for move{x, y) to be executable means that 
we cannot move a new unknown block onto another or the table. We must of course im¬ 
pose restrictions on “moving new blocks in” if we want to preserve effect boundedness. 
One way to do this is to add an action replace{x,y), i.e. replacing x by y. We can 
specify its preconditions as follows: 

Poss{replace{x, y), s) = x ^ Table Ay ^ Table Ax ^ y A 

—l3z.On{z, X, s) A 3z.On(x, z, s) A -<3z.On{z, y, s) A —l3z.On{y, z, s) 

That is, replace{x, y) is executable in situation s if and only if x and y are not the table 
and are distinct, x is clear and on something in s, and y is clear and not on something 
in s. We can modify the successor state axiom for On to be: 

On{x, y, do{a, s)) = a = move(x, y) V 
3z.(a = replace(z, x) A On{z, y, s)) 

V On(x, y, s) A ^3z.(z ^ y A a = move{x, z)) A 
—'3z.{z ^ y A a = replace{x, z)), 

where On{x, y) becomes true if x replaces ^ and z was on y in s, and On{x, y) becomes 
false if z replaces x and x was on y in s. It is straightforward to show that this change 
leaves On effect bounded. 



Example 5. For another simple example (perhaps more practical), let’s look at how we 
could specify the “favorite web sites” menu of an internet application. We can assume 
that there is a fixed number of favorite web sites positions on the menu, say 1 to k. We 
can replace what is at position n on the menu by the URL u by performing the action 
replace{n, u). This can be axiomatized as follows: 

FavoriteSites{n, u, do{a, s)) = a = replace{n, u) V 

FavoriteSites(n, u, s) A 7^ u A o = replace{n, u')) 

Poss{replace{n, u),s) = n G A 3u'.FavoriteSitesin, u', s) 

It is easy to show that in this axiomatization, FavoriteSites is effect bounded. No 
action, including replace{n, u), causes the extension of the fluent to increase. 

The FavoriteSites fluent is typical of many domain properties/relations, such as 
the passengers in a plane, the students in a class, or the cars parked in a parking lot, 
where we can think of the relation as having a finite capacity, and where we can reas¬ 
sign the objects that are in it. In some cases, the capacity bound may be difficult to pin 
down, e.g., the guests at a wedding, altough the capacity is by no means unbounded. As 
well, there are definitely examples where we need an unbounded theory, e.g., to model a 
pushdown automata that can recognize a particular context-free language. The situation 
calculus is a very expressive language that accomodates this, for instance, it has been 
used to model Turing machines ITTTI . One might arguably want an unbounded “favorite 
sites” menu or contacts directory, although this seems hardly practical. Another inter¬ 
esting question is how such capacity constraints might apply to a complex agent such 
as a robot that is modeling its environment. Clearly, such a robot would have limitations 
with respect to how many environment features/objects/properties it can memorize and 
track. Finally, note that the condition \{x \ a, s)}| < \{x \ 'P~^{x, a, s)}| is not 

a FO formula and it is difficult (in fact, undecidable) in general to determine whether 
a basic action theory is effect bounded. But as our examples illustrate, there are many 
instances where it is easy to show that the bounded effects condition holds. 

4.3 Fading Fluents Action Theories 

Fading fluents action theories are based on the idea that information over time loses 
strength and fades away unless it is reinforced explicitly. A fading fluents action theory 
with fading length given by a natural number £ is an action theory where a fluent F{x,s) 
is defined by making use of some auxiliary fluents Fi{x,s), for 0 < i < i where 
F{x, s) = Vo<i<^ s) and the auxiliary fluents have successor state axioms of the 
following special form: 

Fi{x, do{a, s)) = 'Pp{x, a, s) A |{a; | 3a.'Pp{x, a, s)}| < b 
and for 0 < z < £ we have: 

Fi{x, do{a, s)) = -^^p(x, a, s) A Fi+i(x, s) A ^^p{x, a, s). 

Thus, tuples are initially added to Fi, and progressively lose their strength, moving from 
Fi to Fi-i each time an action occurs that does not delete or re-add them; eventually 
they move out of Fq and are forgotten. Note that: 


- Technically, a fading fluents action theory is a basic action theory having as fluents 
only the auxiliary fluents. 

- It is simple to obtain a fading fluent version of any basic action theory. 

- It is often convenient to include explicit refreshp{x) actions, whose effect, when 
applied to a situation s, is simply to make Fi{x,do{refreshp{x, s))) true, and 
Fi{x,do{refreshp{x,s))) false for 0 < i < i. Similarly it may be convenient 
to include forget p{x) actions, whose effect is to make Fi{x, do {forget p{x, s))) 
false, for all i. 

Theorem 3. Let F be a fading fluents action theory with fading length I and initial 
database Fq such that Fq |= Boundedb{So), for some b. Then, F is bounded by b. 

Proof. By induction on executable situations. For the base case, we have that initially 
for each fluent, we have at most b facts, hence Sq is bounded by b. For the inductive 
case, by the inductive hypothesis we have that Boundedb{s). Now, take an arbitrary 
action a{t), and an arbitrary fluent F. Then; (i) BoundedFi,b{do{a{t), s)), since pos¬ 
itive effects are bounded by b in its successor state axiom; and (ii) for all 0 < z < £, 
since Fi depends on Fi+i in the previous situation in its successor state axioms, we 
have that BoundedFi,b{do{a{t), s)) since BoundedFi^i,b{s) and in the worst case the 
whole extension of Fi+i in s is carried over to Fi in do{a{t), s). 

Example 6. Imagine a sort of “vacuum cleaner world” where a robotic vacuum cleaner 
may clean a room or region r GS. If a room/region is used, then it becomes unclean. 
We could model this using a fluent IsClean{r, s) with the following successor state 
axiom: 


IsClean{r, do{a, s)) = a = clean{r) V IsClean{r, s) A = use(r) 

Clearly, cleanliness is a property that fades over time. By applying the proposed trans¬ 
formation to this specification, we obtain the following: 

IsCleani{r, do{a, s)) = a = clean{r) A 1 < 6 

and for 0 < z < £ we have: 

IsCleanflr, do{a, s)) = a clean{r) A IsCleaniFi{r, s) A a ^ use{r) 

This is a somewhat more realistic model where after £ steps, we forget about a room 
being clean. 

Example 7. Consider a robot that can move objects around. We might model this using 
a fluent At{objet, location, s) with the following successor state axiom: 

At{o, I, do{a, s)) = a = moveTo{o, 1) V a = observe{o, 1) V 
At{o, l,s) A a takeAway{o) A 
-<3l'.1' I A {a = moveTo{o, l')\/ a = observe{o, I')) 

Here, moveTo{o, 1) represents the robot’s moving object o to location 1. We also have 
an action observe{o, 1) of observing that object o is at location I, a kind of exogenous 


action that might be produced by the robot’s sensors. As well, we have another exoge¬ 
nous action takeAway{o), representing another agent’s taking object o to an unknown 
location 1. If the world is dynamic, most objects would not remain where they are indef¬ 
initely, even if the robot is unaware of anyone moving them. By applying the proposed 
transformation to this specification, we obtain a theory where information about the 
location of objects fades unless it is refreshed by the robot’s observations or actions. 
After £ steps, the robot forgets the location of an object it has not observed or moved; 
moreover, this happens immediately if the object is taken away by another agent. 

Example 8. As a final example, consider a softbot that keeps track of which hosts are 
online. We might model this using a fluent NonFaulty{host,s) with the following 
successor state axiom: 

NonFaulty{h, do{a, s)) = a = pingSlh) V NonFaulty{h, s) Aa ^ pingF{r) 

Here the action pingS{h) means that the host h has been pinged successfully, and 
the action pingFih) means that the host h has not responded to a pinging within the 
allocated time. As time passes, we may not want to assume that currently non-faulty 
hosts remain non-faulty. If we apply the proposed transformation to this specification, 
we obtain a theory where information about hosts being non-faulty fades. The agent 
must periodically ping the host successfully to maintain its knowledge that the host is 
non-faulty. 

An interesting natural example of such fading representations is the pheromones left 
by insects. Note that it is also possible to model fading with time as opposed to fading 
with the number of actions, though in this case we have to bound how many actions can 
occur between clock ticks. 

5 Expressing Dynamic Properties 

To express properties about Situation Calculus action theories, we introduce a specific 
logic, inspired by the /r-calculus II40I17L one of the most powerful temporal logics, sub¬ 
suming both linear time logics, such as Linear Temporal Logic (LTL) 16^ and Property- 
Specification Language (PSL) ll^ . and branching time logics such as Computational 
Tree Logic CTL ETIl and CTL* 11411 . The main characteristic of the /r-calculus is its 
ability to express directly least and greatest fixpoints of (predicate-transformer) oper¬ 
ators formed using formulae relating the current state to the next one. By using such 
fixpoint constructs one can easily express sophisticated properties defined by induction 
or co-induction. This is the reason why virtually all logics used in verification can be 
considered as fragments of /r-calculus. Technically, the /r-calculus separates local prop¬ 
erties, asserted on the current state or on states that are immediate successors of the 
current one, from properties talking about states that are arbitrarily far away from the 
current one El. The latter are expressed through the use of fixpoints. Our variant of 
the /i-calculus is able to express first-order properties over situation. At the same time, 
it allows for a controlled form of first-order quantification across situations, inspired by 
Q, where the quantification ranges over objects that persist in the extension of some 
fluents across situations. 




Formally, we define the logic ^Lp as: 

<? ::= (/? I I A I 3a:.LlVE(a;) A ^ | 

LlVE(a;) A {-)<!> \ LlVE(at) A [-]<? | Z \ fj.Z.(p 

In addition, we use the usual FOL abbreviations for V, D, =, and V, plus the standard 
p-calculus abbreviation = -^fj,Z.^(I>[Z/^Z]. Let us comment on some aspects of 

pLp. 

- in the expression above is an arbitrary (possibly open) uniform situation- 
suppressed (i.e., with all situation arguments in fluents suppressed) situation cal¬ 
culus FO formula, in which the only constants that may appear are those explicitly 
mentioned in the situation calculus theory beyond 'Duno, i e., those occurring in 
Vposs U I?ssa U I?o|^ Observe that quantification inside ip is not subject to any 
restriction; in particular, LIVE(-) is not required. 

- The boolean connectives have their usual meaning. Quantification over individuals 
in 3a;.LlVE(x) A <1> and Va;.LlVE(x) D (i.e., ^3a::.LlVE(a;) A has the expected 
meaning, with the proviso that individuals over which quantification ranges must 
belong to the active domain of the current situation, i.e., belong to the extension of 
some fluent in the current situation, as required by LIVE(-). 

- Intuitively, the use of LIVE(-) in pLp ensures that objects are only considered in 
quantification across situations if they persist along the system evolution, while the 
evaluation of a formula with objects that are not present in the current extension of 
the fluents trivially evaluates to either false for 3 or true for V. In particular: 

• LlVE(a;) A {—)'P denotes the set of situations s such that for some action a 
that is executable in s, we have that <P holds in do{a, s), with the variables 
occurring free in <l>, x, assigned to objects that are in the active domain of the 
current situation s. 

• LIVE(x) a [—denotes those situations s such that for all actions a that are 
executable in s, we have that <P holds in do{a, s) with the variables occurring 
free in (p are assigned to objects that are in the active domain of the current 
situation s. 

• LIVE(£c) D (—}d> (i.e., ^(LlVE(a;) A [— ]^t?)) denotes those situations s such 
that for some action a that is executable in s, we have that holds in do(a, s) 
as long as the variables occurring free in <P are assigned to objects that are in 
the active domain of the current situation s. 

• LIVE(x) D [—(i.e., ^(LlVE(a:) A denotes those situations s such 

that for all actions a that are executable in s, we have that <P holds in do{a, s) 
as long as the variables occurring free in <P are assigned to objects that are in 
the active domain of the current situation s. 

- Z is an SO (0-ary) predicate variable. 

- pZ.fp and i/Z.'P are fixpoint formulas and denote respectively the least and the 
greatest fixpoint of the formula <P seen as a predicate transformer XZ.d>. To guaran¬ 
tee the existence of such fixpoints, as usual in the /r-calculus, formulae of the form 

* Clearly, we can get around this assumption by adding to the initial situation description, a new 
“dummy” fluent that holds for a bounded number of constants. 



and vZ.(l> must satisfy syntactic monotonicity of with respect to Z, which 
states that every occurrence of the variable Z m<P must be within the scope of an 
even number of negation symbols. 

- fj,Z.(p and i'Z.<P may contain free individual variables, which are those of <P-, tech¬ 
nically these act as parameters of the fixpoint formula, i.e., the value of fixpoints 
fj,Z.(p and lyZ.'P is determined only once an assignment to the free individual vari¬ 
ables is given, see, e.g., lf5^ (chap. 10). 

- Finally, with a slight abuse of notation, we write LIVE(xi, ..., a;„) = 

AiG{i n} LlVE(xi), and we assume that in LlVE(a:) A (—and LlVE(a:) A [—]t?, 
the variables x are exactly the free individual variables of <P, after we have substi¬ 
tuted each bound predicate variable Z in by the corresponding binding fixpoint 
formula pZ.<P' or lyZ.fp'. 

We can express arbitrary temporal/dynamic properties using least and greatest fix- 
point constructions. For instance, to say that it is possible to eventually achieve p, 
where is a closed situation suppressed formula, we use the least fixpoint formula 
ptZ.pV {—)Z. Similarly, we can use a greatest fixpoint formula vZ.pA [—]Z to express 
that p must always hold. 

Example 9. We can give several examples of properties that we may want to verify 
for the warehouse robot domain of Example 1. First, suppose that we want to say that 
it is possible to eventually have shipped all items that are in the factory. This can be 
expressed in our language as a least fixpoint formula: 

pLZ.—i3x3l.At{x,l) V {—)Z 

This formula, let’s call it <Peg 9 , corresponds to the CTL formula EF^3x3l.At{x, 1). In 
the above, we rely on the fact that if there are no items left in the factory, then all items 
that were there must have been shipped. It is easy to check that the theory of Example 
1,1?i, entails that this formula holds in the initial situation S'o, formally Vi |= ^eg 9 - In 
fact, we can also show that the above property always holds: 

Vi ^ vZ.<l>eg9 A [-]Z. 

This corresponds to the CTL formula AGBF^3x3l.At(x, 1). Note that more gener¬ 
ally, a formula pZ.p V {—)Z, i.e., FFp in CTL, represents an instance of a planning 
problem; it is entailed by a theory if there exists an executable sequence of actions such 
that the goal p holds afterwards. 

A second example property that we may want to verify is that it is possible to even¬ 
tually have all items shipped out of the factory and then later to eventually have all 
locations filled with items. This can be expressed as follows: 

Vi \= pLZ.[{—Al3x.At{x,l)) A pZ.{yi.IsLoc(l) D 3x.At{x,l)) V {—)Z)] V {—)Z 

or equivalently in CTL notation 


Vi 1= EF{{-33l3x.At{xTl)) A EF{yi.IsLoc{l) D 3x.At{x,l))). 


Our next example concerns a safety property; we can show that it is always the case 
that if an item is at the shipping dock it can be moved away or shipped out next: 

Vi 1= V Z\{3x. At {x, Ship Dock)) D {—){—Ax.At(x,ShipDock))] A {—\Z 

or equivalently in CTL notation 

Vi \= AG[{3x.At{x, ShipDock)) D {—){—Ax.At{x^ShipDock))\. 

However, this is not the case for other locations, as it is possible for all locations to 
become occupied, at which point the agent must ship the item at the shipping dock 
before it can transfer the item at the location of interest there: 

Vi ^ ^i/Z.[VL(live(Z) d {3x.At{x,l) D (live(I) d (-)(^3a;.Af(a;, 0))))] A [-]Z 

which simplifies to (also observing that 3x.At{x, 1) implies LIVE(()): 

Vi h -^vZ.l^l.iBx.AtixJ) D {-){^3x.At{x, /)))] A [-]Z. 

But it is always possible to clear a location in two steps: 

Vi 1= iyZ.lVl.(3x.At(x, 1) D ((-)(live(0 A {-){-^3x.At{x, ()))))] A [-JZ 

The above involves quantification across situations, and we require the location involved 
to persist (it trivially does). 

Now, let’s consider another example were we quantify across situations. We may 
want to say that it is always the case that if an item is in the warehouse, it is possible to 
have it persist until it is eventually shipped out: 

Vi j= iyZ.(Vx.(3LAt(x, 1)) D fj,Z.(^3l.At(x, 1)) V LIVE(x) A {—)Z] A [—JZ. 

or equivalently in CTL notation 

Vi h AG[Vx.(3l.At(x,l)) D DF^3l.At(x,l)]. 

Note that the weaker property that it is always the case that if an item is in the ware¬ 
house, it is possible to have it shipped out eventually if it persists also holds: 

Vi 1= i'Z.[Wx.{3l.At{x, 1)) D pZ.{-33l.At{x, 1)) V (LlVE(a;) D {—)Z)] A [—\Z. 

Finally, consider the property that if an item is eventually shipped, it is possible for 
it to eventually come back: 

yx.3l.At{x,l)) D AG[-^3l.At{x,l) D EF3l.At{x,l)]. 

We cannot express this property in php because x does not persist after it has been 
shipped. The closest translation 

Va;.LlVE(x) A 3l.At{x,l) D 

iyZ.[-^3l.At{x, 1) D p,Z.{3l.At{x, 1)) V LlVE(a;) A {—)Z] A [—]Z. 

is always false because if x is not at some location, then it is not in the active domain 
and LlVE(a;) is false. 



Next we turn to semantics. Since fj,Lp contains formulae with free individual and 
predicate variables, given a model M. of an action theory V with object domain A 
and situation domain S, we introduce a valuation (v, V) formed by an individual vari¬ 
able valuation v which maps each individual variable x to an object v(x) in A, and a 
parametrized predicate variable valuation V, which, given the valuation of the individ¬ 
ual variables v, maps each predicate variable to Z to subset V{v, Z) of situations in S 
(notice that for each individual variable valuation v the mapping may change). Given 
a valuation {v, V), we denote by {v, V)\x/d\ the valuation (u', V) such that: (i) for 
every individual variable y ^ x we have v'{y) = v{y) and v'{x) = d, (ii) for every 
predicate variable Z we have V'{v', Z) = V{v', Z) Sometimes we also use the notation 
v[x/d] to denote v' such that for every individual variable y ^ xwe have v'{y) = v{y) 
and v'{x) = d. To express that v assigns the values d to the variables x, we use the 
notation x/d. Analogously, we denote by (u, F)[Z/£] the valuation (u', V') such that: 
(i) for every individual variable x we have v'(x) = v(x), (ii) for every predicate vari¬ 
able Y ^ Z we have V'{v', Y) = V{v, Y), and for Z we have V'{v', Y) = E. Also we 
denote by adom^{s), the active (object) domain of situation s in the model M., which 
is the set of all objects occurring in some F^(s) (F G (F) or as the denotation in Ai 
of a constant in the set C of object constants occurring in Pposs U Vssa U T’o- Then 
we assign semantics to formulae by associating to a model AA, and a valuation (u, V) 
an extension function which maps y,Lp formulae to subsets of S as inductively 

defined as follows (for clarity, we interpret explicitly also the abbreviation vZ.F): 


{3x. LlVE(a;) A 
(LlVE(a;) A 

(LlVE(a;) A 


{s G 5 I h V’WI 

{seS\3de adom^is). s G 
{sGS\x/dGv and d C adom^{s) and 
3a. (a, s) G Poss^ and(io^(a, s) G 
{sGS\x/dGv and d C adom^{s) and 
Va. (a, s) G Poss^ implies do-'^{a, s) G 
V{v,Z) 

n{f C 5 I m^yyzJS] C f} 

U{^ C 5 I f C 


Notice that given a (possibly open) uniform situation-suppressed situation calculus for¬ 
mula ip, slightly abusing notation, we denote by (^[s] the corresponding formula with 
situation calculus argument reintroduced and assigned to situation s. 

Intuitively, the extension function (O^y) assigns the following meaning to the pYp 
constructs^] 

* By mentioning situations explicitly, it is also possible to define these operators directly in 
second-order logic as follows OH: 


pZ.$[s\ = VZ.(Vs.<^[s] D Z(s)) 3 Z{s) 
vZ.A>[s\ = 3Z.(Vs.Z(s) 3 #[s]) A Z(s) 



- The extension of is the smallest subset of situations such that, assigning to 
Z the extension the resulting extension of is contained in (with the assign¬ 
ments of the individual variables and the other predicate variables given by v and 
V, respectively). That is, the extension of ^Z.<P is the least fixpoint of the operator 
^^)'(v v)[z/sy Notice that for each valuation of the free individual variables in (p 
this operator will be different: the free variables act as parameters of the predicate 
transformer XZ.P. 

- Similarly, the extension of lyZ.P is the greatest subset Si, of situations such that, 

assigning to Z the extension the resulting extension of ‘P contains S,y. That is, 
the extension of vZ.(p is the greatest fixpoint of the operator v)[x/s]- 

Notice also that when a pLp formula <P is closed, its extension does not 

depend on the valuation {v, V). In fact, the only formulas of interest in verification are 
those that are closed. 

Observation 1 Observe that we do not have actions as parameters of [—]• and (—)•. 
However we can easily remember the last action performed, and in fact a finite se¬ 
quence of previous actions. To do this, for each action type A{x), we introduce a fluent 
LastA{x, s) with successor state axiom: 

Last^ix, do{a, s)) = a = A{x) 

We can also remember the second last action by introducing fluents 
SecondLastA{x, s) with successor state axioms: 

SecondLastA(x, do{a, s)) = LastA(x, s) 

Similarly for the third last action, etc. 

In this way we can store a finite suffix of the history in the current situation and 
write FO formulas relating the individuals in the parameters of actions occurring in the 
suffix. For example, we can write (assuming for simplicity that the mentioned fluents 
have all the same arity): 

pZ.{3x.LastA{x) A SecondLastsix)) V {—)Z, 
i.e., it is possible to eventually do B{x) followed by A{x) for some x. 

Observation 2 Observe that while our pLp allows for quantification over objects that 
persist across situations, the expressiveness of bounded action theories means that we 
can often to avoid its use. For instance, we can easily introduce a finite number of 
“registers”, i.e., fluents that store only one tuple, which can be used to store and refer 
to tuples across situations. We can do this by introducing fluents Regfix, s) and two 

Note that P may contain free individual and predicate variables, and indeed these remain free in 
gZ.<P and vZ.$. In this paper, we prefer to leave the situation implicit to allow for interpreting 
formulas over arbitrary transition systems, including finite ones, and hence relating our logic 
to standard p-calculus. 



actions setRegi{x) and clearRegi to set and clear the register Regi respectively. These 
are axiomatized as follows: 

Regi{x, do{a, s)) = a = setRegiix) V 
Regi{x, s) A a clear Regi 

Poss{setRegi{x), s) = -^3x.Regi{x, s) 

Poss{clearRegi, s) = 3x.Regi{x, s) 

For example, we can write (assuming for simplicity that the mentioned fluents have all 
the same arity): 

fj.Z.{3x.Regi{x) A F{x) A {-)3y.Regi{y) A F'{y)) V {-)Z 

This formula says that there exists a sequence of actions where eventually the tuple 
referred to by register i has property F and there is an action after which it has property 
F'. Note also that this approach can be used to handle some cases of quantification over 
objects that don’t persist across situations. 


6 Verification of Bounded Action Theories with Complete 
Information on 5o 


We now show that verifying fiLp properties against bounded action theories is decid¬ 
able. In this section we focus on action theories with complete information on the initial 
situation. The case of incomplete information is addressed in the next section. In par¬ 
ticular, we assume that the extension of all fluents in the initial situation Sq is given as 
a (bounded) database. We further assume that the domain of interpretation for objects 
A is also given. Notice that, as a consequence of the presence of infinitely many object 
constants and the unique name assumption on them Puno, such an object domain A 
must be inhnite|^As a result of these two assumptions, we have that the action theory 
P admits only one model lEH, which, with a little abuse of terminology, we call 
the model of the action theory P (though in order to define it we need A as well). 

Our main result is the following. 

Theorem 4. Let P be a bounded action theory with initial situation described by a 
(bounded) database and with infinite object domain A, and let <P be a closed yLp for¬ 
mula. Then checking whether P \= <1> is decidable. 


The proof is structured as follows. Firstly, we show that actions terms can be elim¬ 
inated from yhp formulas with out loss of generality (cf. Section 6.11. Exploiting this, 
we show that only the fluent extensions in each situation and not situations themselves 
are relevant when evaluating pLp formulas (cf. Section 6.2 1 . In this step, we also prove 
that checking FO formulas and answering FO queries locally, i.e., on a given situation, 
are, respectively, decidable and effectively computable, under boundedness. 


By the way in case of action theories with a given finite object domain, verification becomes 
easily reducible to model checking, since the corresponding situation calculus model it is 
bisimilar to a finite propositional transition system. 




Then, based on the observations above, we introduce transition systems as alter¬ 
native structures (to the models of situation calculus action theories), over which /iLp 
formulas can be evaluated. Transition systems are less rich than the models of situation 
calculus action theories, as they do not reflect, in general, the structure of the situation 
tree. Yet, they can accommodate the information of models needed to evaluate /iLp 
formulas (cf. Section |6.3| and |6.4[ ). In this step, we define the notion of persistence¬ 
preserving bisimulation, i.e., a variant of standard bisimulation which requires a certain 
kind of isomorphism to exist between bisimilar states and their successors (cf. page[24|), 
and prove that persistence-preserving bisimilar transition systems preserve the truth- 
value of p,L formulas (cf. Theorem [D). This is a key step in the proof, which allows us 
to reduce the verification of p,hp formulas over an infinite transition system to that over 
a bisimilar transition system that is finite. 

In the third and fundamental step (Section 6.5 i, we carry out a faithful abstrac¬ 
tion operation, and show how to actually construct a finite transition system that is 
persistence-preserving bisimilar to the one, infinite, induced by the model of the action 
theory (cf. Procedure [T] and Theorems 15 andflfi)!. Finally, we prove that verification 
is decidable on finite transition systems, thus on the one induced by the model of the 
action theory (cf Theorem 17 i. 

The rest of this section details these steps. 


6.1 Suppressing Action Terms 

Under uniqueness of action names, domain closure for actions, and the fact that action 
types are finitely many, w.l.o.g., we can remove action terms from uniform situation 
calculus formulas. 

Theorem 5. For every, possibly open, situation calculus FO formula ip{x, s) uniform 
in s and with free variables x, all of object sort, there exists a situation calculus formula 
p' (x, s) uniform in s, where no action terms occur, such that 

'Dca h s) = (p'{x, S)). 

Proof By induction on the structure of p. For p = F{t, s), we have that by definition 
t can only contain object terms so p' = p, else p' = p. For p = A{y) = A'{y'), 
with X C y \J y', if A = A', then p' = y = y', else p' = _L. The case 
of boolean connectives is straightforward. \f p = 3a.(j)(x, a, s), consider the for¬ 
mula p” = ^yA-4>A(x, yA, s), with (j)A obtained from 4>{x, a, s), by replacing 

each occurrence of a with A{yA), where j/a fresh variables. We obviously have; 
T^ca H = P")- Now, for each fA, let ^'a a formula containing no action terms, 
such that Vca h= '^{4>a = 4>'a)- induction hypothesis, such a exists. Finally, let 
p' = VagaI 3yA-</>A(®) VAj s). Clearly, p' contains no action terms and is uniform in 
s. By considering unique name axioms for actions and domain closure for action types 
CDca), we can see that Vca |= = p'). Thus, since Vca \= V((p = p”), the thesis 

follows, i.e., Vca \= V(v5 = p'). 

Such a result immediately extends to pLp, since in php formulas only uniform 
(situation suppressed) situation calculus FO subformulas can occur. 





Theorem 6. Any ^.Lp formula (p can be rewritten into an equivalent fj,Lp formula <P', 
where no action terms occur, such that Vca ^ V(^ = 

On the basis of this theorem, w.l.o.g., we will always rewrite /rLp formulas so as that 
actions do not occur in them. 


6.2 Suppressing Situation Terms 


Since the FO components of ^Lp formulas are situation-suppressed, situations are ob¬ 
viously irrelevant when checking /iLp formulas; more precisely, the FO components 
(thus the whole logic) are sensitive only to the interpretation of fluents (and constants) 
at each situation, while the situations themselves are not relevant. The impact of this 
observation on the evaluation of fihp formulas in the general case will become evident 
in Section 6.4 Here, we focus on the local evaluation of FO components (on the inter¬ 
pretation of a single situation), or more specihcally of FO situation calculus formulas 
uniform in s, and present some notable results that, besides being interesting per se, 
will be useful later on. 

Given a basic action theory V, we denote by the set of its fluent symbols and by 
C the (finite) set of constants in J\f explicitly mentioned in V, beyond Vuno- Then given 
a model AAoiV with object domain A and a situation s, it is natural to associate s with 
a FO interpretation Xm{s) = {A, •^), where: (i) for every c G C, cP- = and (ii) for 
every (situation-suppressed) fluent F of V, = {d \ {d, s) G F^}. The following 
result is an obvious consequence of the definitions above. 


Theorem 7. For any possibly open FO situation-suppressed situation calculus formula 
ip uniform in s, any situation s and any object variable valuation v, we have that 
Ai,v \= if and only u |= p. 

In other words, when evaluating a uniform FO situation-calculus formula on a situation, 
one needs only focus on the interpretation relative to the situation of interest. 

Next, we show that, for bounded action theories, we have decidability of evaluation 
of FO formulas in spite of the object domain being infinite. Even more, we obtain 
that we can compute the answers to FO queries on specific situations. Notice that the 
latter result is not obvious, in that the object domain is infinite and, thus, so could be 
the answer. Importantly, these results imply that we can check action executability and 
compute the effects of action executions, two facts that we will strongly leverage on 
when checking /rLp formulas. 

We begin by showing some results concerning the decidability of FO formula eval¬ 
uation in an interpretation with finite predicate extensions, but infinite domain. More 
precisely, we consider a hnite set F of predicate symbols (situation-suppressed fluents) 
and a finite set C (a subset of N) of constant symbols, a (FO) interpretation X, over an 
infinite domain Z\ is a tuple I = {A, ■^), where assigns an extension F^ over A to 
each predicate symbol F G F, and a distinct object <P G Ato every constant in C. The 
active domain of an interpretation I, denoted adom{X) is the set of all the individuals 
occurring in the extension of some fluent F G F, or interpreting some constant c G C, 
in I. Moreover, for simplicity, we assume that all constants mentioned in FO formulas 
of interest belong to C. 



First, let us recall a classical result saying that FO formulas (with no function sym¬ 
bols other than constants) can always be rewritten as formulas with quantified vari¬ 
ables ranging only over the active domain of the interpretation. For an interpretation 
X = (Z\, •^), we define the restriction of I to its active domain as the interpretation 
I — {adom{X), ■^). In words, X is the same interpretation as X, except that the object 
domain is replaced by the active domain. 

Theorem 8 (Theorem 5.6.3 of 11601 ). For every FO formula (/?, one can effectively com¬ 
pute a formula p', with quantified variables ranging only over the active domain, such 
that for any interpretation X = (Z\, •^) with infinite domain A, and any valuation v, we 
have that X,v \= p if and only ifX, v \= p'. 

This result says that checking whether X,v \= p' requires knowing only the interpre¬ 
tation function of X, while the interpretation domain A can be disregarded. In other 
words p' is a domain-independent formula m. One way to obtain domain-independent 
formulas is to avoid the use of negation and instead use logical difference with respect 
to the active domain. The above theorem says that it is always possible to transform 
a FO formula to be evaluated over an infinite domain to a domain-independent one 
to be evaluated over the active domain only (and actually its proof gives an effective 
procedure to do so). 

An immediate consequence of Theoremj^is that if adom(X) is finite, then checking 
whether X,v ^ is decidable, no matter whether the interpretation domain of X is finite 
or infinite. Indeed, in the former case, decidability is obvious, while in the latter, one 
can simply check X,v \= p', which requires only lookups on the finite extensions of 
fluents and, in presence of quantified variables, iterating over the finitely many elements 
of the active domain. Thus, we have the following result. 

Theorem 9. Given a possibly open FO formula p and an interpretation X — {A, ■^) 
with infinite A, if adomiX) is finite, then, for any valuation v, checking whether X, v ^ 
p is decidable. 

Proof See discussion above. 

Theorem|^can be lifted to computing all the valuations v such that X,v \= p. Let p 
be a FO formula with free variables x, and X = {A, ■^) a FO interpretation. Then, the 
answer on X to p is the relation p^ = {d e A \ X,v \= p, forw(a;) = d}. Sometimes, 
it is useful to fix the valuation of some variables Xin C x, say v(xin) = din, and then 
consider the answer to p under this partial assignment, that is, the relation p^. = 

{dout G A \ X,v \= p, foTv{x,n) = din and v{x \ Xin) = The following 

theorem says that if X has an infinite domain A but a finite active domain and the answer 
Px- /d- finite, then the objects occurring in the answer come necessarily from either 
the active domain, or the values assigned to Xin by v. 

Theorem 10. Consider a FO formula p with free variables x. Let X be an interpre¬ 
tation with infinite A and finite active domain. If p^. is finite, then P^. Q 
{adom{X) U din)'^, where n = |a: \ 

a: \ Xin denotes the tuple obtained from x by projecting out the components of Xin. 



Proof. By contradiction. It can be easily proven that \fX,v ^ (f, for v{xi) = di ^ 
{adom{I) U d^) and Xi G x\xin, then for any other valuation v' = v\xi/d'f\ such that 
d'j^ G A \ {adomiX) U di^), we have that X, v' \= (p. Since A is infinite and adom{X) 
is finite, such d' are infinitely many, thus is infinite. Contradiction. 


In other words, any “new” object, with respect to those in adom{X), occurring in the 
answer, must come from din- A direct consequence of Theorems and 10 is that one 
can actually compute the answer on X to p. 


Theorem 11. Consider a FO formula p with free variables x. Let X = {A, ■^) be an 
interpretation with infinite A and finite active domain. If for some valuation v such that 
v{xin) = din, p^. /d is finite, then p^ is effectively computable. 


Proof. It suffices to record in all those tuples such that for some r; with 

v(xin) = dinXi\dv{x\xin) = it is the case that I, u \= p. Since by Theorem 10 


such dout are finitely many and can be obtained using values from adomiX) U din 
which is finite, and, by Theorem]^ checking whether X,v ^ is decidable, it follows 
that is computable. 


These results find immediate application to the case of bounded action theories. 
Indeed, bounded action theories guarantee that Xj,y[{s), in Theorem|7] is finite, (for s 
executable). Thus, by Theorem]^ for p and v as above, we have that checking whether 
u ^ is decidable. A useful implication of this is that it is decidable to check 
whether an action A^(o) is executable in a given situation s. Indeed, this requires 
checking whether M.,v ^ Poss{A{x), s), with v{x) = o, which, by Theorem|^ is 
equivalent to d^Mis),V ^ (j)A{x), with (j)A{x, s) the RHS of the the precondition axiom 
of A, which, in turn, is decidable. Moreover, Theorem m can be used to show that 
for a bounded action theory, the effects of executing an action at a given situation, 
as determined the successor-state axioms, are computable and depend only on Im(s) 
(and the action). Indeed, we can exploit these results to get a sort of one-step regression 
theorem in our setting Il66l7l . 


Theorem 12. Let Ai be a model of a bounded action theory D, s an executable sit¬ 
uation, and a = A^(o) an action, with action type A{y). Then, for any fluent F, 
there exists a situation-suppressed action-term-free formula f = (j){x, y) such that 
piM(do-’^(a,s)) _ and hence is effectively computable. 


Proof. Let F{x,do{a,s)) = (j)F(x,a,s) be the successor-state axiom for fluent F. 
For the extension of F at situation s' = do^{a,s), we have that {p,s') G F iff 
Ai,v \= (j)F{x, A{y), s), for some v such that v{x) = p and v{y) = o. Notice 
that (j>F contains, in general, action and situation terms, and is uniform in s. How¬ 
ever, by Theorem it can be rewritten as an equivalent action-term-free formula 
(j)p{x,y, s). Then, by suppressing the situation argument, we obtain; p G ^ 

iff Xa 4 {s),v ^ (j)p{x,y), for some v such that v{x) = p and v{y) = o. That is, 
for (p = (j>p, Thus, since by boundedness of V, ^ is finite. 

Theorem [^implies the thesis. 






This result implies that, given Im{s) and an action a = A^(o), we can obtain the 
interpretation of each F at do^ (a, s) by simply “querying” Xji^ (s). Hence, by taking 
the same interpretation of constants as in A^, we can construct Fj \4 {dc/^ (a, s)), from 
2m{s) and the successor-state axioms of T>. 


6.3 /xLp over Transition Systems 

The results presented in Section [0^ and [6!2| suggest that, for the purpose of verification 
of /rLp formulas, one can operate on simpler structures than the models of situation cal¬ 
culus action theories. Indeed, as we saw, both actions and situations can be essentially 
disregarded. In this section, we introduce such simpler structures, namely transition 
systems (TS), show how fiLp formulas are evaluated over them, and present some im¬ 
portant results that allow us to perform the verification on TSs instead of on the original 
model. The connection between models of situation calculus theories and transition 
systems will be discussed in Section [63^ By Theorem]^ we can focus, without loss of 
generality, on a variant of pLp where action terms do not occur, 
p c 

By Int^’ , we denote the set of all possible interpretations of the situation sup¬ 
pressed fluents in F and constants in C, over the object domain A. A transition system 
(TS) (over the situation-suppressed fluents F, constants C, and object domain A) is a 
tuple T = {A, Q, qq, —>-,1), where; 


- Z\ is the object domain', 

- Q is the set of states', 

- qo G Q is the initial state', 

- Q X Q is the transition relation; and 

- X '. Q ^ Int^’ is the labeling function associating each state q with an interpre¬ 
tation X{q) = {A, such that the constants in C are interpreted in the same 
way in all the states over which X is defined. 


To interpret a /rLp formula over a TS T = {A,Q,qQ,—i',X), we use valuations 
{v,V) formed by an individual variable valuation v and a parametrized predicate vari¬ 
able valuation V, as in Sectionj^ We define the extension function yy which maps 

/iLp formulas to subsets of Q, as follows: 


{<PiA<p2)fyv) 

(3x. LiVE(a;) A 
(LlVE(a;) A 


(live(x) a 

iZ)l,vy 

{dZ.<X)ly) 


= {q€Q\ X{q),v 1= (/?} 

= Q - (^)ly) 

= {q&Q\3d& adom{X{q)).q G 
= {g G Q I x/d G V and d C adom{X{q)) and 
3q'.q-^f andg'G (^)f„_y)} 

= {q & Q \ x/d G V and d C adom(X(q)) and 
Vg'. q^f implies f G y)} 

= ViZ) 

= n{^ ^ Q I i'^)'(vy)[z/e] — 


Given a /iLp formula <?, we say that a transition system T satisfies af state q, 
under v and V, written T, q, {v, V) \= (P, if q G yy When <P is closed on pred¬ 
icate variables, we omit V, as irrelevant, and write T,q,v ^ If <P is closed on both 
individual and predicate variables we simply write T, q \= <!>. For closed formulas, we 
say that T satisfies <P, written T |= <?, if T, q^ ^ <l>. 

For our TSs we can prove a suitable version of the classical bisimulation invariance 
results for the /r-calculus, which state that bisimilar TSs satisfy exactly the same p- 
calculus formulas, see e.g., ini. Obviously, the notion of bisimulation needed here is 
not the classical one, but one that takes into account the FO interpretations labeling the 
states of the transition systems, as well as the controlled form of quantification across 
states allowed in /iLp. 

We first recall the standard notions of isomorphism and isomorphic interpretations. 
Two FO interpretations Xi = (Z\i, and I 2 = (‘^ 2 ) over the same fluents fF 
and constants C, are said to be isomorphic, written Xi ^ X-i, if there exists a bijection 
(called isomorphism) h ■. Ai A 2 such that; (i) for every F G F, x G if and 
only if h{x) G (ii) for every c G C, = h{<p-^). It is immediate to see that if 
h is an isomorphism, then so is h~^, and that ~ is an equivalence relation. Intuitively, 
for two interpretations to be isomorphic, it is required that one can be obtained from the 
other by renaming the individuals in the interpretation domain. Notice that, necessarily, 
the interpretation domains of isomorphic interpretations have same cardinality. When 
needed, to make it explicit that h is an isomorphism between Xi and X 2 , we write Xi 
F 2 . We denote by/iI d j the resfncfion of/i to Fi, i.e., the mapping/ i|di : Di 1 —)■ h{Di), 
such that /i|di {d) = h{d), for every d G Fi. In addition, recall that F = {adom{X), 
denotes the restriction of an interpretation X = (Z\, •^) to its active domain. 

The bisimulation relation that captures /rLp can be defined as follows. Let Ti = 
(Z\i, Qi, gio, ->i,Fi) and T 2 = (/i 2 , Q 2 , 920 ,-> 2 , 2 ^ 2 ) be two transition systems (over 
the situation-suppressed fluents and constants of an action theory T>), and let H be the 
set of all possible bijections h : Di i-G F 2 , for Fi C Ai and F 2 C Z\ 2 . A relation 
B C Qi X F[ X Q 2 is a persistence-preserving bisimulation between Ti and T 2 , if 
(91) ft , 92) S B implies that: 


1 - iiiqi) ^ 2 ( 92 ); 

2 . for each q[ G Qi, if qi —?^i q'l then there exists q^ G Q2 such that; 

(a) q2 —t2 92 , 

(b) there exists a bijection/i' : adom{Xi{qi))Uadom{Xi{q[)) 1—>■ adorn(I2(92))U 

adom{X2{q2)) such that its restriction coincides with h and its 

restriction h'\adom(Xi(q[)) is such that (gj, h'\adom{x^{q[)),q2) G B\ 

3 . for each G Q2, if 92 -^2 92 then there exists gj G Qi such that: 

(a) gi —)'2 q'l, 

(b) there exists a bijection F : adom(Fi(gi))Ua(iom(Fi(gj)) 1—>■ adorn(I2(92))U 
adom(l2(92)) such that its restriction h'\g^dom{Xx{qi)) coincides with h and its 
restriction h'\adom(x^(q[)) is such that (gj, h'\adom{x^{q[)),q2) G B. 


Notice that requirements 2b and 3b impose the existence of a bijection h! that pre¬ 
serves the bijection h (in fact, the isomorphism) between the objects in adom{Xi{qi)) 
and those in adom(X 2 {q 2 ))', this essentially means that the “identity” of such objects is 




preserved along the transition. Moreover, h' is required to induce an isomorphism be¬ 
tween adom{Xi{q'-^)) and adorn( 12 ( 92 ))’ when restricted to adom{Xi{q'^)), such that 
\adom{Xi{q[))'> Q2) ^ 

We say that a state qi S Qi is (persistence-preserving) bisimilar to ^2 G Q 2 ’ written 
9i ~ 92 ’ if there exists a persistence-preserving bisimulation B between Ti and T2 such 
that {qi, h, ^ 2 ) S B, for some h; when needed, we also write qi q2, to explicitly 
name h. Finally, a transition system Ti is said to be persistence-preserving bisimilar to 
T2, written Ti « T 2 , if qio « 920 - It is immediate to see that bisimilarity between states 
and transition systems, i.e., the (overloaded) relation «, is an equivalence relation. 

Next, we prove a result (Theorem [T 3 |) saying that pLp enjoys invariance under this 
notion of bisimulation. To this end, we first show the result for the simpler logic Lp, 
obtained from pLp by dropping the hxpoint construct. Namely, Lp is defined as: 

(p ::= (p \ \ <Pi A <1>2 \ 3a:.LIVE(a;) A ^ | LIVE(a;) A {-)<P \ LIVE(£c) A [-]<? 

Such a logic corresponds to a first-order variant of the Hennessy-Milner Logic ll50l . 
Note that its semantics is completely independent from the second-order valuation. 

Given an individual variable valuation v we denote by IM(u) its image on the object 
domain. 

Lemma 1 . Consider two transition systems Ti = (Z\i, Qi, gio, — and T2 — 
{^2, Q2, 920’ -^ 2 , 1 - 2 ), Avo states qi S Qi, 92 € Q2, such that qi 92’ ond two indi¬ 
vidual variable valuations vi and V2 mapping variables to Ai and A2, respectively. If 
there exists a bijection h between adom(Xi{qi)) U IM(ui) and adom{X2{q2)) U IM(u2) 
whose restriction coincides with h and such that for each individual vari¬ 

able X, h{vi{x)) = V2(x), then for every formula <P ofLp, possibly open on individual 
variables, we have that: 

Ti,gi,ui ifandonlyifT2,q2,V2 \='P. 

Proof We proceed by induction on the structure of <I>. For <P = p, we observe that, by 
Theorem^ Xi{qi),Vi \= pif and only if Xi{qi), vi |= p' (i = 1,2), for p' the rewriting 
of p as its domain-independent version. Further, since Xi{qi) 2 ^ 2 ( 92 ), and there 
is a bijection h between the objects assigned to variables by vi and V2 (even if they 
are not in adom{Xi{qi)) or adorn(X 2 {q 2 ))), by the invariance of FOL wrt isomorphic 
interpretations, it follows that Xi{qi),vi ^ p' if and only if 12 ( 92 ),'t '2 H P'■ These 
two facts easily imply the thesis. The cases of boolean connectives are obtained by 
straightforward induction using the same individual valuations vi and V2 and the same 
bijection h. 

For d> = 3?/.LIVE(2/) A <!>'. Suppose that Ti, qi,vi |= <I>. Then, for some di, it is the 
case that Ti, (71, ui[2//(ii] ^ LIVE(2/) At?'. Notice that this implies di G adom{Xi{qi)), 
then h{di) = h{di) = d2, for some ^2 S 0 ^ 0771 ( 12 ( 92 ))’ as h coincides with h on 
adom{Xi{qi)) . Consider the individual valuation V2[y/d2]. For every variable x we 
have h{vi[y / di]{x)) = V2[y/d2]{x) (for y we have V2[yld2]{y) = ^2 = h{di) = 
h(pvi[y/di\{y))). Hence, using these new valuations and the same bijection h, now 
restricted to lM{vi[y/di]) and \M{v2\y/d2\) (to take into account the assignments 


to y), we can apply the induction hypothesis, and conclude that T2,q2,V2[y/d2] ^ 
LlVE(y) A <P', which implies T2,q2,V2 H The other direction is proven symmetri¬ 
cally. 

For = LlVE(a;) A Suppose that Ti,qi,vi ^ (LlVE(a;) A (—)<?'). By 

definition, this implies that vi{xi) G adom{Ii{qi)) for each Xi G x, and there ex¬ 
ists a transition qi — >1 q[ such that Ti,q[,vi \= <P'. Since qi q2, there exist: (i) 
a transition q2 -G2 q2, and (ii) a bijection h' : adom{Xi{qi)) U adom{Xi{q[)) 1—> 
adom{X2{q2)) U adom{X2{q2)) such that its restriction fi'|adom(ii(gi)) coincides with 
h, its restriction h'\adom{ii{q[)) is an isomorphism such that Xi{q'-^) „ 

X2{q2), and q[ (72- Now consider two new variable valuations v'l and 

V2, defined as follows: 

- for Xi G X (for which we have that Vi{xi) G adom{Xi{qi))), let v'-^{xi) = Vi{xi) 
and V2(xi) = V2ixi); 

- choose di G Ai and, for all y ^ x, let v[{y) = di, then: if di G 

adom{Xi{qi)) U adom{Xi{q[)), for all y ^ x, let ^2(2/) = h'{d\)\ else, choose 
d2 ^ adom{X2{q2)) U adom{X2{q2)), let, for all y ^ x, = d2, and contextu¬ 
ally extend h' so that h'{di) = d2- 

As a result, for all variables x, we have h'{v[{x)) = (for h' possibly extended 

as above). Consider the bijection h' = /i^|adom(ii(g())uiM(i>()- With this new bijection 
and the valuations uj and V2, we can apply the induction hypothesis, and obtain that 
Ti,q'i,vi ^ <P' implies r 2 7 <?2j ^2 H and since q2 —>2 q2, we have that T2, (72, V2 \= 
(LlVE(a;) A (—)^'). Now, observe that the only free variables of (LlVE(a;) A (—are 
Xi G X, and that, for these, we have v[{xi) = vi{xi) and = V2{xi). Therefore, 

we can conclude that T2,q2, V2 \= {liye{x)A{—)<P'). The other direction can be proven 
in a symmetric way. 

For = LIVE(x) a [—\d>": we observe that we can rewrite < 1 > as ^(LlVEjx) D 
(—)^'), with d>' = . Then, assume that Ti,qi,vi ^ (LlVE(a;) D (—)<?'). By 

definition, this implies that: (i) either for some Xi G xwe have vi (xi) ^ adom{Xi {qi))', 
or (ii) for all Xi G x we have vi{xi) G adom{Xi{qi)) and there exists a transition 
qi — q[ such that Ti,q[,vi |= <P'. We distinguish the two cases: 

- If for some Xi G x, vi{xi) ^ adom{Xi{qi)), then we have that V2{xi) ^ 
adom{X2{q2)) ■ Indeed, assume toward contradiction that V2{xi) G adom{X2{q2)) ■ 
Since Xi{qi) X2{q2) it follows that the inverse hr^ of h is unique, hence 
h~^{v2{xi)) = vi(xi) and wi(xi) G adomiXi{qi)), getting a contradiction. Thus, 
we have that T2, <72, X2 ^ LlVE(a;) and so T2, <72, X2 ^ (live(x) D {—)<!>'). 

- If for all Xi G x, Vi{xi) G adom{Xi{qi)), we can proceed in the same way as for 
the case of <? = live(x;) A {—)d>'. 

The other direction is proven symmetrically. 

We can now extend the result to the whole yhp. 

Lemma 2 . Consider two transition systems Ti = (Z\i, Qi, gio, —>i,Ti) and T2 = 
(Z\2, Q2, 920) “^2,2^2), two states qi G Qi, 92 G Q2, such that qi q2, and two 



individual variable valuations Vi and V2 mapping variables to Ai and A2, respectively. 
If there exists a bijection h between adom{Ii(qi))UlM{vi) and adom(I{2Q2))^^^i'>j2) 
whose restriction h\adom(ii(qi)) coincides with h and such that for each individual 
variable x, h{vi (a;)) = V2 (x), then for every formula <I> of p,Lp, closed on the predicate 
variables but possibly open on the individual variables, we have: 

Ti,qi,vi ifandonlyifT2,q2,V2 \='P. 

Proof We prove the theorem in two steps. First, we show that Lemma[ 2 can be extended 
to the infinitary version of Lp that supports arbitrary infinite disjunction of formulas 
sharing the same free variables mi. Then, we recall that fixpoints can be translated 
into this infinitary logic, thus guaranteeing invariance for the whole p,Lp logic. Let W be 
a possibly infinite set of open Lp formulas. Given a transition system T — {A, Q,qQ,^ 
, 1 ), the semantics of V is (V Therefore, given a state q of 

T and a variable valuation v, we have T,q,v \= W \f and only if T, q,v |= '0 for some 
lp G Arbitrary infinite conjunction is obtained for free through negation. Lemma 
extends to this arbitrary infinite disjunction. By the induction hypothesis, under the 
assumption of the Lemma, we can assume that for every formula tp G 'P, we have 
Ti,qiQ, vi ^ 0 if and only if T2, q2o, V2 \= 0 . Given the semantics of \/ ^ above, this 
implies that Ti, gio, ui h V ^ if ^"d only if T2, 920, U2 |= V 

In order to extend the result to the whole pLp, we translate /r-calculus approximates 
into the infinitary Lp by (see mmi), where the approximant of index a is denoted 
by pPZ.fp for least fixpoint formulas and v°^Z.d? for greatest fixpoint formulas 

vZ.d>. This is a standard result that holds also for /rLp. In particular, such approximates 
are as follows: 

pP Z-fb = false Z.<P = true 

p^+^Z.<P = <I>\ZIp^Z.<P\ vI^+^Z.<P = <P[Zlvf^Z.^ 

p^Z.cb = pf^Z.<P u^Z.<P = A^<;, 

where A is a limit ordinal, and the notation d^lZ/Z.<!>] denotes the formula obtained 
from < 1 > by replacing each occurrence of Z by Z.<P. By Tarski and Knaster Theo¬ 
rem |[ 84 l , the fixpoints and their approximates are connected by the following proper¬ 
ties: given a transition system T and a state q of T, 

- q G {pZ.<I>)J^ if and only if there exists an ordinal a such that s G {p‘^Z.<P)J^ y^ 
and, for every /3 < a, it holds that s ^ Zyy 

- q pP {vZ.fpp^^ y.^ if and only if there exists an ordinal a such that s ^ 
and, for every /3 < a, it holds that q G {12^Z.<P)-^yy 

Since each approximate, including the ones corresponding exactly to the least and great¬ 
est fixpoints, can be written as an infinitary Lp formula, we get the thesis. 

With this lemma in place we can prove the invariance result. 

Theorem 13 . Consider two transition systems Ti = {Ai, Q\, gio, and T2 = 

{A2, Q2, 920 ; “^21^2). IfTi « T2, then, for every pLp closed formula <P 

Ti \= (b if and only ifT2 A 




Proof. If Ti « T2 then for some bijection h we have qiQ (720- This implies that 
ilio) 12(920)- Now consider the variable valuations vi and V2 defined as follows 
(notice that since is closed such individual valuations are irrelevant in evaluating 
it): choose an arbitrary di G Ai and let, for all variables x, vi(x) = di; if di G 
adom{Xi{qi)), let, for all x, V2(x) = h(di); else, choose d2 ^ adom{X2{q2)) and let, 
for all X, V2{x) = d2. 

Now, dehne a bijection h! such that for all d G adom{X{qi)), h'{d) = h{d), and 
if di ^ adom{Xi{qi)), h'{di) = d2. It can be seen that h' is a bijection between 
adom{Xi{qi) U IM('(;i) and adom{X2{q2) U IM(u 2) such that Xi{qi) 

22(92) and for all variables x, h'(vi{x)) = V2{x). Hence, by Lemmawe get the 
thesis. 

Thus, to check whether a transition system T satisfies a p,Lp formula t?, one can 
perform the check on any transition system T' that is bisimilar to T. This is particularly 
useful in those cases where T is infinite-state but admits some finite-state bisimilar 
transition system. We exploit this result later on. 

6.4 Transition Systems Induced by a Situation Calculus Theory 

Among the various TSs, we are interested in those induced by models of the situation 
calculus action theory T>. Consider a model A 4 ofT> with object domain A and situation 
domain S. The TS induced by M. is the labelled TS Tm = {A, Q, qo,X, -g), such that: 

- Q = S is the set of possible states, each corresponding to a distinct executable 
situation in 5 ; 

- qo = G Q is the initial state, with the initial situation of 2 >; 

- -G C Q X Q is the transition relation such that q ^ q' iff there exists some action 
a such that (a, q) G Poss^ and q' = do^{a, q). 

- X : Q i-G Int^ is the labeling function associating each state (situation) q with 
the interpretation X{q) = ^M{q)- 

As it can be seen, the TS induced by a model Ai is essentially the tree of executable 
situations, with each situation labelled by an interpretation of fluents (and constants), 
corresponding to the interpretation associated by Ai to that situation. Notice that tran¬ 
sitions do not carry any information about the corresponding triggering action. 

We can now show that the semantics of pLp on a model can alternatively be given 
in terms of the corresponding induced TS. 

Theorem 14. Let D be an action theory, A 4 a model ofD with (infinite) object domain 
A and situation domain S, and Tm the corresponding induced TS. Then for every pLp 
formula (with no occurrence of action terms) we have that: 

(<^)Ky) = ('^)^>) 

Proof. By induction on the structure of d>. For the base case of an open uniform 
situation-suppressed situation calculus formula p, we need to prove that 


= {s e 5 I h ‘fWI = ip)f^v) = {s e 5 I X(s),v ^ p}. 


This is indeed the case: since no action terms occur in ip and ip is uniform in s, the 
evaluation of ip depends only on the interpretation of each fluent (and constant) at s, 
i.e., onl^(s). Once this base case is settled, the inductive cases are straightforward. 


6.5 Abstract Finite-State Transition System 


As shown above, satisfaction of pLp formulas is preserved by persistence-preserving 
bisimulations. This holds even between an infinite- and a finite-state TS. When this is 
the case, the verification can be performed on the finite TS using standard /i-calculus 
model checking techniques, which essentially perform fixpoint computations on a finite 
state space. We next show how, for the case of bounded theories, one can construct a 
finite TS Tp that is bisimilar to the TS Tm induced by M.. 

We construct Tp using Procedure The procedure takes as input an action theory 
V (with complete information on the initial situation) bounded by b and a model M 
of V with infinite object domain Z\{^ and returns a finite-state TS Tp bisimilar to 
Tm - Tp is built incrementally, through iterative refinements of the set of states Q, the 
interpretation function I, and the transition relation —Initially, Q contains only the 
initial state go (line|^; I(go) interprets constants and fluents in the same way as Ai at 
the initial situation (line|^; and —> is empty (line|^. The set Qte contains the states of 
Tp to be “expanded” (initially go only, line|^; this is done at each iteration of the while 
loop (lines [6]-p0|l, as explained next. 

Firstly, a state g is extracted from Qte (lines 1^ and 1^. Then, a finite subset O 
of objects from A is defined (line |^. The values from O, together with those from 
adom{I{q)), are used, in combination with the action types, to generate actions exe¬ 
cutable on the interpretation Z(gp](lines 10 11 1. The particular choice of O guarantees 
that the set of generated actions, while finite, is fully representative, for the purpose of 
verification, of all the (possibly infinitely many) actions executable on 1 (g) (see The¬ 
orem 16 1. Moreover, the objects are chosen so as to maximize reuse of the objects 


occurring in the interpretation of the states already in Q. 

The actual expansion step consists in computing, for each generated action, the 
interpretation X' obtained by executing the action on (a situation with interpretation) 
1 (g). This is done by computing, on X{q), the answers to the right-hand side (j){a, y) 
of the (situation-suppressed) successor state axiom of each fluent F, with a set to the 
current action (linep^. Once X' has been computed, two cases are possible: either it 
is isomorphic to some interpretation X{q') labeling an existing state q' G Q (line 131 , 
under some isomorphism that preserves X{q), or it is not (line[T 5 ]l. In the former case, 
the transition relation is simply updated with a transition from g to g' (line [T 4 ]l and no 
new state is generated. We stress that, in this case, the isomorphism is defined over the 
whole A, not only over the active domains of the interpretations. In the latter case, a 


In fact, given the object domain A, the model M is fully determined by D modulo object 
renaming. 

Notice that since Poss{a, s) is uniform in s, the situation does not play any role in establishing 
whether, for given a and s, Poss{a, s) holds. In fact, only the interpretation of fluents (and 
constants) at s matters. Consequently, one can take such an interpretation and safely suppress 
the situation argument. 







Procedure 1 Computation of a finite-state TS persistence-preserving bisimilar to T^vi • 
Input: A basic action theory T> bounded by b, with complete information on ^o, and a model 
JVl ofT> with infinite object domain A 

Output: A finite-state TS Tp — (A, Q, qo,T, —>■) persistence-preserving bisimilar to 
1: let the set of fluents of T>, C the set of constants explicitly mentioned in T>\ 

2: let Q := {go}, for go a fresh state; 

3: \ittT{qo) 

4: let-> := 0; 

5: let Qte := {go}; 

6: while (Qte ^ 0) do 
7: pick gG Qte; 

8: let Qte := Qte - {g}; 

9: let O C Zi be any (finite) set of objects such that: 

(i) \0\ = max{|a:| | A{x) G »4}; 

(ii) O n adom{I{q)) = 0; 

(Hi) \0 n UqgQ adom(T(g))| is maximal (subject to (i) and (ii)). 

10: for all action types A{x) of V do 

11: for all valuations v such that ^(a:) G {adom{X(q)) U and 

1(g), u 1= Poss{A(x)) do 

12: letT' = (A, A ) be an interpretation such that: (i) for all constants in 

C; (ii) = {d \ X(q),v[y/d] ^ cl)F{^A(x),y)}, for (f>F{a,y) the (situation- 
suppressed) RHS of the SSA of fluent F. 

13: if (there exists q' £ Q and an isomorphism h between X' and X(^q') that is the 

identity on adom{X{q))) then 
14: ->:=->• U {g ->• g'}; 

15: else 

16: let Q := Q tt) {g^}, for q' a fresh state; 

X{q') ~X'- 

:=->U{g->g'}; 

Qte ■= Qte w {g^}; 

17: end if 

18: end for 

19: end for 

20: end while 

21: return Tf — {A,Q,qo,X,^) 






fresh state q' with labeling I{q') is added to Q, and the transition relation is updated 
with q ^ q' (lines [T^. Further, g' is also added to Qt^., so as to be expanded in future 
iterations. The procedure iterates over the expansion step until the set Qt^ is empty, i.e., 
unitl there are no more states to expand. 


We observe that the choice of g' at line 14 guarantees the existence of an isomor¬ 


phism h' between I' and I(g') that is the identity on adom{I{q)). That is, any object 
occurring in X' that comes from 1 (g) must be mapped into itself. The purpose of this 
choice is to avoid adding a fresh state g" (with interpretation I') to Q but reuse any state 
g' already in Q, if bisimilar to the candidate g". This is a key step for the procedure to 
construct a transition system that is both hnite and persistence-preserving bisimilar to 
Tm- 

We can now show that Procedure terminates and returns a TS persistence¬ 
preserving bisimilar to T^vt. This result is split into two main results: Theorem 15 
which shows that the procedure terminates, returning a finite TS, and Theorem 16 


which shows that the obtained TS is indeed persistence-preserving bisimilar to Tj^. 

To prove termination, we first derive a bound on the active domain of the interpre¬ 
tations labeling the states in Q. 

Lemma 3. There exists a value b' = b ■ ap \C\ such that, at any iteration of 

Procedure^and for any q G Q, |adom(X(g))| < b', where b is the value bounding V, 
ap the arity of fluent F, and C the set of constants explicitly mentioned in T). 

Proof We hrst show that: (f) for every q G Q, there exists a situation s executable in 
V such that 1 (g) = Ivi(s). This intuitively means that, modulo situation suppression, 
every state of Tp is labelled by an interpretation that matches that of f 4 on constants 
and fluents at some executable situation s. 

Th^roof is by induction on Q. For go, the thesis follows by the definition of T(go) 
at line ^ as is executable. For the induction step, consider q G Q and assume, 
by the induction hypothesis, that 1 (g) is as above, for an executable situation s. Then, 
for any valuation (of object variables) v, we have that X{q),v |= Poss{A{x)) if and 
only if h Poss{A{x)), that is, by Theorem]^ j\ 4 ,v' |= Poss{A{x),a), 

for a a situation variable and v' a situation calculus variable assignment analogous 


to V on all individual variables and such that v'{a) = s. Thus, by line 11 A{x) 


is executable at s (with respect to Ai and v). Similarly, for any fluent F and val¬ 
uation V, we have that 1 (g),u \= (j)p{A{x),y) iff A 4 ,v' ^ (j)p{A{x),y,a), that 
is, since F{y,do{a,a)) = (j>p{a,y,a) (by definition of successor-state axiom), 
X(q),v )= (j)p{A{x),y) iff j\ 4 ,v' |= F{y, do{A{x), a)). But then, since by line [I^ 
F^ = {d G A \ xlq),v[y/d] |= (j)p{A{x),y^}, it follows that I',u ^ F{y) 
iff A 4 ,v'[y/d] ^ F{y,do{A(x),a)). Thus, F^ = {d G A \ A 4 ,vfy/d] 
F{x,do{A{x),a))}. Therefore, when a state g' is added to Q (line 16 1, its labeling 
X(g') = I'is such that Z(g') = I^(fio^(A^(u(a:)), s)). This proves (f). 

Observe that (f) and the boundedness of V imply, together, that \adom{X{q))\ is 
bounded, for any q G Q. We denote by b' the bound on |adom^ (s) |, for any executable 
situation s ofD, and on |adom(X(g))|, for q G Q. Notice that, in general, b' is different 
than b, in that the former bounds the number of objects occurring in the interpretations, 
while the latter bounds the number of tuples in the interpretation of fluents. To obtain 






b', observe that if the theory is bounded by b, then, for any model, the extension of 
each fluent F G T at any executable situation contains at most b distinct tuples. Thus, 
the extension of the generic fluent F cannot contain, at any executable situation, more 
than ap -h distinct objects, where of is the arity of F (the maximum number of tuples, 
each with distinct objects, distinct also from all others in the extension). As a result, 
the extensions cannot contain, overall, more than • b distinct objects. Hence, 

considering that X{q) interprets both the fluents in F and the constants in C, it follows 
that \adom{F{q))\ < ■b+\C\= b'. 

Then, we use the obtained bound to show that also the set of all objects occurring in the 
labelings of some state in Q, denoted adom{Q), is bounded. 

Lemma 4 . Let adom{Q) = \J^^Qadom{T{q)). At any iteration of Procedure^ we 
have that \adom{Q)\ < 2 b' + N, for b' the bound on \adom{T{q))\ defined as in 
Lemma^ and N the maximum number of parameters of the action types in T). 

Proof By induction on the size of Q. For Q = {go}^ we have that adom{Q) = 
adom{X{qo)), thus the thesis follows as, by Lemma \adom{X{qo))\ < b'. For 
Q = {901 ■ ■ • assume, by induction hypothesis, that \adom{Q)\ < 2 b' + N. Since, 
by Lemma|^ the state q G Qte F Q picked at line|^is such that \adom{F{q))\ < b' 
and A is infinite, then, by Theor em[TO| (after applying Theorem]^ if action terms have 
to be suppressed in fp), X' (line| 12 | Is such that adom{X') C adom{X{q)) U t;(a;)p] 
Now, observe that v{x) may take values from O and that the constraints on the choice 
of O (line|^ require that the reuse of objects from adom(Q) be maximized. That is, in¬ 
cluding fresh objects (with respect to adom{Q)) in O is allowed (in fact, required) only 
if needed to guarantee that \ 0 \ = jatj (while OC\adom{X{q)) = 0 ). Thus, two cases are 
possible; either \adom{Q) \ adom{X{q))\ < \x\ (in which case fresh objects must be 
added to O), or not. In the first case, because |x| < N and adom{X{q)) C adom{Q), 
it follows that \adom{Q)\ — \adom{X{q))\ < N. Thus, since \ado'm{X{q))\ < b', we 
have that \adom{Q)\ < N + b'. From this, observing that \adom{X{q'))\ < b', we 
obtain \adom{Q U {g'})| < 2 b' + N. In the second case, O contains no fresh objects, 
thus \adom{Q U {g'})| = \adom{Q)\ < 2 b' + N. 


Exploiting this result, we can prove termination. 

Theorem 15. Procedure^terminates and returns a finite-state transition system Tp. 


Proof. Firstly, observe that, as a consequence of Lemma (i) checking whether 
X{q),v [= Poss{A{x)) (line 111 is decidable, and (ii) F^ (line 121 is computable. 


These, indeed, are implied by the fact that | adorn ( 1 (g) )| is bounded, thus finite, and 
by Theorems and El respectively. To apply these theorems, however, one needs to 
suppress action terms first, if present, in formulas (j)F[A{x), y) and (pA^xYTo this end. 
Theorem]^ can be used. Notice also that computability of (line|^ is a direct 

consequence of the fact that T> has complete information and is bounded, therefore the 
extension of all fluents at Sq is finite. Items (i) and (ii) above guarantee that all the 
atomic steps of Procedure[ 2 can be completed in finite time. 


To simplify the notation, we use v{x) for the set {w(a:i),..., u(®n)}. 





Next, we prove that eventually Qte = 0- Observe that, since A (i.e., the set of 
action types of V), Q, O, adom^{So), and adom{I{q)) are finite, it follows that, at 
every iteration of the while-loop (lines [6|j20|), the nested loops (lines [T0f[T^ terminate; 
thus, proving that Qte becomes empty in a finite number of steps is sufficient to prove 
that only a finite number of iterations are executed and, hence, the procedure terminates. 
Obviously, this also implies that the returned Q, thus Tp, is finite. 

To see that eventually Qte = 0, notice that Q is inflationary, i.e., states, once added, 
are never removed. Consequently, objects can be added to adom{Q) (when a fresh q' 
is added) but not removed. This, together with the fact that, by Lemma|^ \adom{Q)\ 
is bounded, implies that, from some iteration i on, adom{Q) remains unchanged. Let 
AQi be adom{Q) at iteration i (and at subsequent steps). Obviously, after that point, if 
a fresh state q' is added, it must be such that adom{I{q')) C AQi. Notice that, even 
though adom{Q) cannot change, this is not the case for Q. Indeed, new states q' could 
still be added, as long as I{q') = I' contains only objects from AQi. However, since 
\adom{Q)\, thus is bounded, only finitely many interpretations I' can be built 

using values from AQi. Consequently, if new states keep being introduced after i, it 


follows that, from some step i' on, the interpretation X' generated at line 12 matches the 
interpretation X{q') of some q' already in Q. Hence, from i' on, the condition at line 13 
is always satisfied (with h the identity function), and no fresh state q' can be added to Q 
any more. Therefore, no new state is added to Qte (line[T6]l, which becomes eventually 
empty, as at every iteration one state is extracted from it (line[7|i. This completes the 
proof. 

Finally, we show that the returned Tp retains all the information needed to check 


whether M. |= t?. That is, by Theorem 13 we show that Tp is persistence-preserving 
bisimilar to Tm ■ 

Theorem 16. The TS Tp computed by Procedure^ on a basic action theory T) (with 
complete information) bounded by b and a model Ai for T), is persistence-preserving 
bisimilar to the TS Tj^ induced by At. 

Proof. LetTp = {A,Q,qo,Xp,^p) andTM = (Z\, i?, ro,T>i,define the 
relation B C Q x H x R such that {q, h,r) G B if and only if Xp{q) i-M (^) (for 
any h). Notice that, since Tp and Tm have the same object domain A, h can always 
be extended to a standard isomorphism h between Xp{q) and ^m{t) : namely, one can 
take any bijection h : A i-G A such that h\adom{iF(.q)) — 

We show that B is a persistence-preserving bisimulation between Tp and Tm- 
(page 24 1 . Consider a tuple {q,h,r) G B. Requirement [T] of the definition is triv¬ 
ially satisfied by the definition of B. As to requirement ^ let q' G Q he such that 
q —Tp q'. As shown in the proof of Theorem 15 there exists an executable situation 
s such that Xp{q) = 1-m{s)- Moreover, by the definition of Tm, r is a situation such 
that matches the interpretation given by Ai to fluents at r. Because q —tp q', 

by the construction of Tp in Procedure [T| (line [TT]), we have that, for some valuation 
V and action type A, Xp{q),v ^ Poss{A{x)), that is, by the existence of s as above, 
Ai,v \= Poss{A{x), s). Then, by extending h to an isomorphism h between Xp(q) and 
T^(r), as discussed above, we can see that T^ (r), u' ^ Toss(A(a:), r), for = hov, 
which implies that Ai,v' ^ Poss{A(x),r). Therefore, by the definition of Tm, for 







r' = do^{A^{h[v{ x)),r) G R, we have that r -Gm f'- Thus requirement |2a| is 
fulfilled. 

Next, we show the existence of an isomorphism h' between Xp^q') and 
l-Mir') that extends h. Once proven, this implies the existence of a bijection 
h' : adom{q) U adom{q') i—>■ adom{r) U adom(r') such that h'\adom(ip{q)) = 
h and Xp{q') Indeed, it is sufficient to take h' = 

h'\adom(q)uadom(q')- Thus, the existence of h! implies requirement: 


2b 


To prove that such an h' exists, we distinguish two cases: (i) when the transition 


q ^P q' is added at line 16 (i.e., q' is a fresh state), and (ii) when it is added at line 14 


(i.e., q' is already in Q). For case (i), observe that Xm{i'') can be obtained by apply¬ 
ing the right-hand side of the successor-state axiom of each fluent F to l-Mir) (see 
Theorem [I^, which is also the way to obtain Xp{q') from Xp{q), according to Pro¬ 
cedure!^ Then, since h is an isomorphism between Xp{q) and we have that 

l-Mir) = h{Xp{q)), where h{Xp{q)) denotes the interpretation obtained fmmlp{q) 
by renaming its objects according to h. Because v' = h o v, il can be checked that 
I-mW) = h{Ip{q')), thus h! = his an isomorphism between Ip{q') and l-Mir'), 
which obviously extends h. For case (ii), let X' be the interpretation obtained by ap¬ 
plying the successor-state axioms to Xp(q). By the discussion above, we have that 


= h{X'), while, in general, X' ^ Xp{q'). However, the condition at line|13 
guarantees the existence of an isomorphism g such that X' = g{Xp(q')), that is the 
identity on adom{Xp{q)). Now, consider h' = hog. Being a composition of iso¬ 
morphisms, h' is an isomorphism itself, in particular such that Xm{t') = h'{Xp{q')). 
Moreover, h! extends h\adom(ip{q))- This is a straightforward consequence of the facts 
that h extends h and g is the identity on adom{Xp(q)), which imply that h' matches h 
on adom{Xp{q)). Thus, requirement]^ is fulfilled. The proof for requirement[^follows 
the same argument, with h replaced by its inverse h~^. 

Since B is a persistence-preserving bisimulation, the fact that {go, ho, tq) G B, for 
ho the identity, completes the proof. 

Next we prove that checking whether Tp satisfies a formula, is decidable. 

Theorem 17. Given a transition system T = {A,Q,qo,X,^), if Q is finite and, for 
every q G Q, adom(X{q)) is finite, then for every fiLp formula <X, checking whether 
T \= <!> is decidable. 

Proof. Firstly, by applying Theoremfollowed by Theorem]^ to the FO components 
of d>, we rewrite <P as an equivalent ghp (closed) formula F where no action terms 
occur and whose FO components are domain-independent. Once done so, the theorem 
is a consequence of the finiteness of Q and adom{q), for q G Q. Under these as¬ 
sumptions, y) is easily computable by recursive applications of the definition of 

(•)^ y) (P^g® 23 I. In particular, for the base case of F a FO formula </?', since g}' is 
action-term-free and domain-independent, one can apply Theorem]^ As to quantified 
variables (outside the FO components), they can be easily dealt with, by the finiteness 
of adorn(q). The other cases are straightforward. 








Finally, putting all the above results together, we obtain Theorem by observing 


orem 

17 

13 

If 

a 


17 T ermina tion and correctness of this construction are guaranteed by Theorems 
and 16 


7 Dealing with Incomplete Information 


In this section, we address the case of partial information on the initial situation, by 
assuming that Vq is a set of axioms characterizing a possibly infinite set of bounded 
initial databases. Also in this case, we focus on theories whose models have inhnite 
object domains (as we have infinitely many distinct constants). 

We first prove that whenever two models interpret their respective initial situations 
in isomorphic ways, they are persistence-preserving bisimilar. We observe that this re¬ 
sult holds independently of the cardinalities of the object domains of the models. 


Theorem 18. Let D be a bounded basic action theory. For every two models M. and 
Ai' of D, with possibly different infinite object domains A and A', respectively, if 
iM(S^) - then Tm « Tm'- 


Proof Let Tm = {A,Q,qo:^,I) and Tm' = (L\', Q', Qq,W e prove a 
stronger claim, i.e., that the relation B C Q x H x Q' such that {qi, h, qf) S i? if 
and only if T{qi) T'{q 2 ) (for any h), is a persistence-preserving bisimulation re¬ 
lation between I'm and Tm'- This result, once proven, implies the thesis; indeed, by 
Tai(5'o^) Tm'{S^ ), we have that there exists h such that T{S^) T(5'^ ), 

thus, by the definition of B, {S^, h, ) G B, that is, {qo, h, q'ff) G B, as go = <S'o^ 
andg() = 5'^'. 

Let {qi,h,q 2 ) G B. Requirementof the definition of bisimulation (pageis 
clearly satished. For requirement]^ hrst recall that, by definition of induced transition 
system (page[^, I{qi) =lM{qi) andl'(g 2 ) = lAt'(92), thus Ja4 (9 i) 

Assume that there exists q'^ G Q such that qi —> gj. By definition of transition sys¬ 
tem induced by Ai (page [28] l, there exist an action type A and a valuation v such 
that Ai,v \= 4 >a{x, gi), for Poss{A{x), s) = (j>A{x, s) the precondition axiom of A. 
This is equivalent to I^(gi),w |= (j)A{x), for (I)a(x) the situation-suppressed ver¬ 
sion of (j)Ax,s). Now, let f'^^x) be the domain-independent version of (j)A{x). By 
Theorem^ we have that I^(gi),z; |= 4)a{x) if and only if 2^(gi),u [= fj^lx). 
If we extend h to v{x) in a way such that we obtain a bijection h (by a cardinality 
argument, this is always possible), then, because Ivt(gi) Im'( 92 ), we have that 

^i), V 1 = if and only if lM'{q2), ho v \= f'j^^x). But then, again by Theo¬ 

rem^ Xm' (92), ho V \= 4 >a{x). Thus, by reintroducing the situation argument in tpA, 
we have that Ai', v' \= (j)A{x, 72), that is, there exists an action a' = A^ (h(v (x))) 


Notice that no assumption is made on the object domain Z\ of Ad except for it to be infinite. 
Hence, these results hold also if we assume standard names for object domains, as done in 
03: in that case the object domain is infinite but numerable and coincides with the set of 
constants Af (this requires a second-order domain closure axiom). 












such that (o', ( 72 ) G Poss'^ . Therefore, by the definition of Tj^i, it follows that 
92 —>■ 92> for q '2 = d o^j a', 52 )- This proves requirement!^ 

For requirement 2b we first show that can be obtained from 


through the successor-state axioms. To this end, notice that Im (9i) can be obtained by 
taking, for each fluent F, the right-hand side (j){x, a, s) of the corresponding successor- 
state axiom (the subscript F is removed to simplify the notation), then deriving the 
equivalent action-term-free formula (t>{y, x), as shown in Theorem 12 for action 
a = A-^{v{x)), and finally letting interpreting each 

F as the answer to the corresponding query </> on the interpretation (qi ), under the 

partial assignment x/v{x) (constants are always interpreted as in M.). Now observe 
that, since the action theory is bounded, so is the extension of each fluent F at qi and 


q'l. Thus, by Theorem 10 the extension of each fluent at q'^ contains only values from 
adom{XM{Qi)) U v{x), that is adom{2M{Qi)) ^ adorn(< 71 )) U v{x). Hence, if 
we denote (for each F) the domain-independent rewriting of (j){y, x) as </)'(?/, x), by 

Theoremj^ we have that that is, by answering cj)' on 

(gi), we obtain the extension of F at Obviously, by doing so for every fluent F, 
we can obtain Im (gi) from (gi). By an analogous argument, it can be shown that 
Xm' (g 2 ) can be obtained from Xm' {Q 2 ), for action a' = (h(v (x)))- 

Next, consider again the bijection h defined above, and recall that h extends h 
on v{x), and that (gi) TM'(g2)- By the invariance of FO under isomorphic 
interpretations, we have that, for each fluent F, the answers to on Z)vi(gi) and 
Xm' (g2), under the partial assignments, respectively, x/v{x) and x/h{v{x)), coin¬ 
cide, modulo the object renaming induced by h. But then, it is immediate to check that 
^ ^\ado 7 n{X_\/l(qi))Uado 7 n(Xy^{q[)) tS a bijeCtion SUCh ^ \ adotnix )) 

iM'{q2) and, hence, by the definition of B, (gj, g^) G B. This proves 

requirement]^ The proof of requirement |^is analogous. 

Now, consider a set Mod of models of X) having isomorphic interpretations at Sq. By 


Theorem 18 all such models have induced TSs that are persistence-preserving bisimilar 
to each other. Thus, by Theorem 13 to check whether a yFp formula (f) holds in all 


models of Mod, one can perform the check on any arbitrary model of Mod, using, e.g., 
the technique discussed for the case of complete information. This result, together with 
the assumption of boundedness, will be exploited next, to prove our main theorem. 

Theorem 19. Let T) be an action theory bounded by b with incomplete information on 
the initial situation, and let <P be a pLp closed formula. Then, checking whether T) 
is decidable. 


Proof. Let Modx> be the set of all models of V, and consider a partition of it such 
that each cell contains only models whose interpretations at Sq match, modulo object 
renaming. Formally, we define Mod-o = {Mod]^, Mod%, ...) such that, for every two 
models and Ad' in Mod^, Xm'{S^ ). As a consequence of the bound¬ 

edness of T), the number of cells in the partition is finite. Indeed, a bounded number of 
objects yields, up to object renaming, only a bounded number of possible interpreta¬ 
tions (of finitely many fluents and constants) at Sq. Thus, for some finite n depending 
on the theory V and the bound b, we have that Modv = [Mod]^, Mod ^,..., Mod^). 







Since, by Theorem 18 any two models JH and JH' of the generic cell Mod’jy induce 


persistence-preserving bisimilar transition systems, then, by Theorem[T^ we have that 
all the models of Mod]^ satisfy if and only if some model M. of Mod^ satisfies 
Thus, to check whether I? |= we can simply choose one model Aii per cell Mod\y, 
and then check whether, for alH = 1,..., n, A4i <P-, if this is the case, then, and 
only then, we can conclude that T> \= (p. Obviously, for this approach to be effective, 
we need a model M.i per cell Mod\y and a way to perform the check. The rest of the 
proof addresses these two points. 


Let T be the set of situation-suppressed fluents of T), and C the (finite) set of con¬ 
stant symbols explicitly mentioned in V (beyond 'Duno)- We observe that each cell 
Mod^jy of the partition Mod-u = {Mod]y,..., Mod^) can be uniquely identified by an 
interpretation li of and C over some infinite object domain A. Indeed, by transitivity 
of any two models A4,A4' ofV such that 2m ~ 2i and ) ~ Xi are 

also such thatX^ {S^ ) I'm )■ Notice thatX^ certainly exists, as one can simply 
take Im (S^), for some model A4 G Mod\y. Clearly, each X^ contains only a bounded 
number of objects in the active domain and satisfies X>o, i.e., X^ \= Vq. 

Now, assume given one interpretation X^ per cell Mod\y (we show below how to 
obtain them) and observe that, from X^, we can extract a complete initial situation de¬ 
scription as a database X>q. This can be easily done, as X^ is finite. Consider the theory 
X>® = (X> \ X>o) U X>Q, obtained by replacing X>o with X>q, and assume the same inter¬ 
pretation of constants in C as that defined by X^. Under this assumption, X>* defines a 
family of models that differ only in the object domain and in the interpretation of con¬ 
stants outside C (which, however, must satisfy X>„„o). In particular, the interpretation of 
fluents in T and constants in C, at Sq, of all such models, is the same as that ofX^. Thus, 
the models of X>* constitute a subset of Mod^. To isolate one of such models, we fix an 
arbitrary infinite object domain A (such that adomiXi) C A), and arbitrarily extend the 
partial interpretation of constants over the constants outside C, satisfying T>uno- Notice 
that this can always be done, as A is infinite and the set of constant symbols countable. 
With A and the denotation of all constants fixed, X>* has complete information, i.e., 
yields a single model M.i, thus, by Theoremwe can check whether X>* \= <2 , i.e., 
whether |= ^ (notice that, as it turns out from Procedure to perform the check, 
one does not even need to know the interpretation of constants outside C). This, by the 
discussion above, is equivalent to checking whether for all models M. G Mod\y, it is the 
case that Ai 2>. Therefore, if the set of interpretations X = {Xi,... ,X„} is given, 
we can check whether T) 

It remains to explain how such a set of interpretations X = {Xi,...,X„} can 
be obtained. To this end, observe that, by Lemma it follows that | adorn (X,;)| < 

' b + \C\ = b'. Based on this, the set T of interpretations X,; can be ob¬ 
tained by: (i) fixing a set O of b' arbitrary objects; (ii) generating a set T' of all the 
finitely many interpretations of X and C over O, such that T>uno is enforced on C and 
for every interpretation X' G T', X' |= T)q\ (Hi) for any set X" C T' of isomorphic 
interpretations, removing from T' all but one of such interpretations (in fact, this step 
is not needed to our purposes, but avoids useless redundancies). The resulting T' is the 
set of desired interpretations Xi,... ,X„, which we rename simply as T. 



Now, observe that, by the way it is defined, T contains, up to object renaming, all 
possible interpretations of and C over a set of b' distinct objects, that satisfy Vq and 
'Duno (on C). Thus, since for a generic model M. of V, the interpretation 
contains at most h' distinct objects (by the boundedness of T)), it turns out that there 
exists an interpretation S T such that ~ Ti. Therefore, the cell Mod\j 

such that M. € Mod\y, is characterized by some interpretation I,; € T, namely the 
interpretation at Sq shared, up to object renaming, by the models of the cell itself. 
On the other hand, because any G T enforces and is such that X ^ it 

follows that there exists some model of I? such that Xm{S^) ^ 2^. Therefore, 
every interpretation of T characterizes some cell Mod\y, specifically, that of the models 
Af such that Xm{S^) ~ Zi. Therefore, T is indeed the set of desired intepretations. 
This concludes the proof. 

This result, besides stating decidability of the verification problem under incomplete 
information, provides us with an actual procedure to perform verification in this case. 

8 Computational Complexity 

In this section, we asses the computational complexity of verifying /xLp formulas over 
a bounded situation calculus basic action theory Z>. In particular we show that the con¬ 
structive techniques we have used for proving decidability are, in fact, optimal with 
respect to worst case computational complexity. We make the assumption that, for a 
basic action theory Z>, the maximum number of distinct objects occurring in the state 
of any situation, dominates the input size of Z> itself, and that there exists a bound dp 
on the maximum arity of fluents. This is a reasonable assumption, analogous to that, 
typical in databases, that the size of the database provides a higher bound on the size of 
the input along all dimensions, and that, in practical cases, there exists an upper bounds 
on the arity of relations. We exploit the constructive techniques introduced for showing 
decidability to get an exponential time upper-bound. 

Theorem 20. Verifying ^Lp formulas over a situation calculus basic action theory 
bounded by b, with complete information on the initial situation, can be done in time 
exponential in b. 

Proof This is a consequence of Procedure [T] and the complexity of pLp model check¬ 
ing. Firstly, consider Procedure and observe that, by Lemma at any iteration, 
the number m of distinct objects occurring, overall, in the interpretations of states 
(i.e. \adcmi[Q)\ of Lemma|4| is bounded by 2h' + N, where b' = 'ff.p^pb ■ ap, ap 
is the arity of fluent F, and A is the maximum number of parameters in action types. 
Since we assume |F| and N bounded by b, and ap bounded by a constant, it turns out 
that m is polynomial in b. Now, observe that, with m distinct objects and ap bounded 
by a constant, one can obtain a number of interpretations of F and C that is at most 
exponential in m, i.e., in (a polynomial of) b. Then, because in Procedure [T] every state 
is associated with exactly one interpretation, and since no state is visited more than 
once, we have that the while-loop (lines [6|j20)i terminates after, at most, an exponential 
number of iterations. 


As to each iteration, by our assumptions, we have that any loop inside the while- 
loop ends after at most exponentially many iterations. Indeed, for any action type with 
at most N parameters, we have at most possible assignments, thus < m}’ , 
which gives an exponential bound, as both m and b' are polynomial with respect to b. 
Now, observe that the dominant operation in the while-loop is checking whether two 
interpretations are isomorphic. Since also this check can be performed in exponential 
time with respect to b (the problem is in NP), we obtain, overall, an exponential time- 
bound for Procedure [T] 

Now, recall that propositional /r-calculus model checking is polynomial with respect 
to the sizes of the input transition system and the input formula Il40l . As to the transition 
system, the check is performed on the one returned by Procedure which has size at 
most exponential in b (i.e., as many interpretations as one can obtain with at most m 
objects, plus a quadratic number of transitions wrt it). As to the formula, say <P, we first 
rewrite it (in polynomial time) into its equivalent domain-independent version <!>', and 
then “propositionalize” it, by quantifier elimination, using only the values that occur, 
overall, in the active domains of the interpretations of the states of the input transition 
system. This step can be done, again, in exponential time, and returns a quantifier-free 
formula exponentially larger than the original one, but equivalent to it, on the obtained 
finite transition system. Thus, since /r-calculus model checking is polynomial wrt the 
size of both the transition system and the formula, we obtain that, overall, the check 
requires time at most exponential wrt b. 

Such an exponential bound is, in fact, tight, as we can show the EXPTIME-hardness 
of the problem by reduction from acceptance in a polynomial-space bounded alternating 
Turing machine. 

Theorem 21. Verifying y,Lp formulas over bounded situation calculus basic action the¬ 
ories with complete information on the initial situation is EXPTIME-hard. 

Proof We show a reduction from polynomial-space bounded alternating Turing ma¬ 
chines, whose acceptance problem is EXPTIME-complete iisi. An (one-tape) Alter¬ 
nating Turing Machine (ATM) in is a tuple M = {Q, E, 6, Qq, g) where 

- Q is the finite set of states; 

- T is the finite tape alphabet; 

- S'.QxrxQxEx {L, R} is called the transition table {L shifts the head left 
and R shifts the head right); 

- <70 G Q is the initial state; 

- g : Q ^ {and, or, accept} specifies the type of each state. 

If M is in a state q G Q with g{q) = accept then that configuration is said to be ac¬ 
cepting. A configuration with g(q) = and is said to be accepting if all configurations 
reachable in one step are accepting. A configuration with g{q) = or is said to be ac¬ 
cepting when there exists some configuration reachable in one step which is accepting. 
(The latter is the type of all states in a Nondeterministic Turing Machine.) M is said to 
accept an input string w if the initial configuration of M (where the state of M is qQ, 
the head is at the left end of the tape, and the tape contains w) is accepting. An ATM is 


said to be polynomial-space-bounded if it scans at most a number of tape cells that is 
polynomially-bounded by the size of the input. 

Following 123 (Chap. 4), we can axiomatize the ATM using the following fluents: 

- transTable{q, c, q',c', m, s). This is a situation-independent predicate (i.e., with a 
trivial successor-state-axioms preserving its content forever) describing the ATM’s 
transition table 6: when in state q scanning tape symbol c, the machine enters state 
q', overwrites c with tape symbol c', and moves its tape head in the direction m, 
which is one of L (left) or R (right). 

- gType{q,t, s). This is a situation-independent predicate assigning (once and for 
all) a type t G {and, or, accept} to the state q of the ATM. 

- cell{i, c, s). This means that tape cell i G [0,..., f] contains the symbol c G R U 
{blank} in situation s. Notice that in every situation the number of facts of the 
form cell{i, 7 , s) is fixed and determined by the maximal length of the tape of the 
bounded ATM, £. Initially, the first cells contains the input word w while the others 
are blank. 

- state{q,s). This means that in situation s, the machine’s state is q. Initially, we 
have state{qQ, Sq), where qo is the initial state of the ATM. 

- scan(i, s). This means that the machine’s head is scanning tape cell i G [0,..., £] 
in situation s. Initially, the head is scanning tape cell 0. In any situation, there will 
only be one fact of the form scan(i, s). 

We need just one action type trans{q', c', to), meaning that the machine makes a tran¬ 
sition from the current configuration to a new configuration where the state is q', tape 
symbol c' is written, and the tape head moves in direction to, whose precondition axiom 
is as follows: 

Poss{trans{q', c', ni),s) = 3q, i, c. state{q, s) A scan{i, s) A cell{i, c, s) A 

transTable{q, c, q', c', to, s) 

The successor state axioms for the fluents that can change are as follows: 

state{q, do(a, s) = 3c, m.a = trans{q, c, to) V 

state{q, s) A -'3q', c, m.a = trans{q', c,m) /\ q' ^ q 

scan(i, do{a, s) = 

3q, c, i'.a = trans{q, c, L) A scan{i', s) A 

(i' = 0 D i = i') A (i' ^ 0 D i = i' — 1) V 
3q, c.a = trans(q, c, R) A scan{i', s) A i = i' -\-IV 
scan{i, s) A —'3q, c, m.a = trans{q, c, to) 

cell{i, c, do{a, s) = 3q, m.a = trans{q, c, to) A scan(i, s) V 

cell(i, c, s) A -'3q, c', m.a = trans{q, c', to) A scan{i, s) Ac' ^ c 

For initial situation description, assuming the input w = Cq ... Ci, we have: 

state{qo, Sq), scan{0, Sq), 
cell{0, Co, 5 * 0 ), • ■ ■, cellii, Ci, So), 
cell{j, blank, Sq), for j G [i,... ,£] 


Acceptance of the ATM is defined using the following /iLp formula <P\ 

piZ. (3q.state{q) A gType{q, accept) V 

{3q.state{q) A gType{q, and)) A [—JZ V 
(Bq.state(q) A gType{q, or)) A {—)Z 

Then we have that I? |= ^ if and only if M accepts w. Notice that in any situation there 
is exactly one fact of the form gType{q, t, s). Notice also that the above condition does 
not require quantification across situations. 

9 Checking Boundedness 

We now show that we can always check whether any BAT maintains boundedness for 
a given bound. That is, if the initial situation description is bounded, then the entire 
theory is too (for all executable situations). 

First notice that we can determine in a situation s whether every executable action 
a if performed next does not exceed the bound (i.e. in do{a, s)). We can capture the 
notion of a fluent F being bounded at the next step by the formula: 

y/y \/x.Poss{A{x),s) D Boundedp_}j{do{A{x),s)). 

A&A 

Notice that each Boundedp^}j{do{A{x), s)) is regressable through A{x). As a result the 
formula above is equivalent to a first-order situation calculus formula uniform in s; we 
call the latter formula NextOrigBoundedp i,{s), and we call NextOrigBoundedi,{s) 
the formula /\p^p NextOrigBoundedpi,{s). 

To check that the theory is bounded by b it is sufficient to verify that the theory 
entails the temporal formula: 

AGNextOrigBoundedf, = vZ.NextOrigBoundedp^ A [—jZ, 

which expresses that always along any path NextOrigBoundedp, holds. Unfortunately 
deciding whether this formula is entailed by the action theory is directly doable with the 
techniques in previous sections only if the theory is bounded, which is what we want 
to check. However it turns out that we can construct a modified version of the action 
theory that is guaranteed to be bounded and that we can use to do the checking. 

Let V be the action theory. We define a new action theory W obtained by aug¬ 
menting V as follows: 

- VVso = 'Dso U {cl>[F/F']\(j> e Vs,} 

- Wss = Vss U {F'{x, do{a, s)) = ^{x, a, s) A NextOrigBoundedp,{s) \ 

F{x, do{a, s)) EE <^{x, a, s) G Vss] 

- Wap = {Poss{A{x), s) = F{x, a, s) A NextOrigBoundedp,{s) \ 

Poss{A{x), s) = F{x, a, s) G Vap} 

Intuitively VV extends V with primed copies of fluents, which are axiomatized to act, 
in any situation, as the original ones as long as the original theory remains bounded 
by b in that situation, otherwise they become empty (and actions cannot be executed 
according to Poss.) It is easy to show the following key property for VV. 



Lemma 5. 


VD ^ Vs.(Vs.s < s D NextOrigBoundedf^{s)) D \/x.{F'{x, s) = F{x, s)). 
Proof. By induction on situations. 

Now we define a new action theory V which can be considered a sort of projection 
of VD over the primed fluents only. Let D' be: 

- Vs^ = {f[F/F']\f€Ds,}. 

- Vgg = {F'(x,do{a,s)) = (P[F/F']{x,a,s) f\ NextOrigBoundedf[F/F']{s) \ 

F{x, do{a, s)) = ^{x, a, s) S Dss} 

- V'^p = {Poss{A{x), s) = F[F/F']{x,a, s) A NextOrigBoundedi,[F/F']{s) \ 

Poss{A{x), s) = ^{x, a, s) S Dap} 

Notice that D' is bounded by construction if D'g^ is, and furthermore it preserves the 
information about the original theory being bounded at the next step, though in terms 
of primed fluents. Exploiting the above lemma on DD and the construction of D', we 
can show that D' has the following notable property: 

Lemma 6. 

D ^ AGNextOrigBoundedi^{So) iff D' ^ AGNextOrigBoundedjj[F/ F'\{Sfj)^^ 

Proof. By Lemma|^ it is immediate to see that D |= AGNextOrigBoundedi,{So) im¬ 
plies D' ^ AGNextOrigBoundedfj[F/F']{So). For the opposite direction, suppose 
that!?' ^ AGNextOrigBoundedi^[F/F']{So),hutD \= AGNextOrigBoundedij{So) 
does not hold. This means that there exists a model of D and a situation S where 
-^NextOrigBoundedfj^S) holds, though in all previous situations s < S' we have that 
NextOrigBoundedj^{s) holds. Now by Lemma|^ we can construct a model for D' such 
that the truth values of F are replicated in F' as long as NextOrigBoundedf^ holds in 
the previous situation. So in S, we must have -^NextOrigBoundedi\F/F']{S), which 
contradicts the assumption that D' |= AGNextOrigBounded^fF/F']{Sf). 

By Lemma 1^ since D' is bounded by b if D'g^ is, it follows that: 

Theorem 22. Given a BAT whose initial situation description is bounded by b, then 
checking whether the entire theory is bounded by b is decidable. 

Notice that we pose no restriction on the initial situation description except that it is 
representable in first-order logic, hence checking its boundedness remains undecidable: 


Theorem 23. Given a FO description of the initial situation Dq and a bound b, it is 
undecidable to check whether all models ofDo are bounded by b. 

Notice that NextOrigBounded^ [J^/ F'\ expresses that in the original theory the next situa¬ 
tions are bounded, though now syntactically replacing original fluents with their primed ver¬ 


sion. 


Proof. By reduction to FO unsatisfiability. Suppose we have an algorithm to check 
whether a FO theory T>q is bounded by 0. Then we would have an algorithm to check 
(un)-satisfiability of Vq. Indeed consider for a fixed fluent F: 

Vq = (X>o A 3x.F{x, So)) V ( /\ \/x.^F{x, So)) 

FGJr- 

Note that /\p^jryx.^F{x, So) has only models bounded by 0, while 3x.F{x, So) has 
only models with at least one tuple (and thus one object) in F. Hence we get that T)o is 
bounded by 0 iff Vq is unsatisfiable. A similar argument holds for every bound b. 

Nonetheless in many cases we know by construction that the initial situation is bounded. 
In such cases the proof technique of Theorem [^provides an effective way to check if 
the entire theory is bounded. 

10 Related Work 

Besides the situation calculus 1641731 . many other formalisms for reasoning about ac¬ 
tions have been developed in AI, including the event calculus 055I79I8OI . the features 
and fluents framework llT^ . action languages such as A ll44ll and C+ BTII . the fluent 
calculus 18^ . and many others. In most of these, the focus is on addressing problems 
in the representation of action and change, such as the frame problem. Some attention 
has also been paid to specifying and verifying general temporal properties, especially 
in the context of planning. The Planning Domain Definition Language (PDDL) ll65l has 
been developed for specifying planning domains and problems, and a recent version 
supports the expression of temporal constraints on the plan trajectory ll46ll . Approaches 
such as those in TLPlan 0, in TALplanner ||5^ , or in planning via model checking 
ll67l support planning with such temporal constraints. Within the situation calculus, 
temporal constraints for planning have been studied in, e.g., 112171 . All these planning- 
related approaches are essentially propositional and give rise to transition systems that 
are finite-state. One interesting attempt to interpret first-order linear temporal logic si¬ 
multaneously as a declarative specification language and procedural execution language 
is that of MetateM IS], though verification is not addressed. 

Most work on verification has been done in computer science, generally focusing on 
finite-state systems and programs. Many logics have been developed to specify tempo¬ 
ral properties of such systems and programs, including linear-time logics, such as Lin¬ 
ear Temporal Logic (LTL) 1681 and Property-Specification Language (PSL) ll39l . and 
branching time logics such as Computation Tree Logic (CTL) IItTI and CTL* BtI . the 
/i-calculus II40IT71 , which subsumes the previous two, as well as Propositional Dynamic 
Logic (PDL) ll42l . which incorporates programs in the language. Model checking (and 
satisfiability) in these propositional modal logics is decidable la, but they can only 
represent finite domains and finite state systems. Practical verification systems, e.g.. 
Ism . have been developed for many such logics, based on model checking tech¬ 
niques i). 

In AI, verification by model checking has become increasingly popular in the au¬ 
tonomous agents and multi-agent systems area. There, many logics have been pro¬ 
posed that additionally deal with the informational and motivational attitudes of agents 














|. Some recent work has been specifically concerned with formaliz¬ 
ing multi-agent knowledge/belief and their dynamics II37I51I . Moreover, various Belief- 
Desire-Intention (BDI) agent programming languages have been developed that oper¬ 
ationalize these mental attitudes 069I15I25I13I . Verification is important in this area as 
agent autonomy makes it crucial to be able to guarantee that the system behaves as re¬ 
quired ll43l . Furthermore, one generally wants to ensure that the agents’ mental states as 
well as their behavior evolve in a way that satisfies certain properties. Agent logics can 
be used to specify such properties. Much of the verification work in this area focuses 
on the model checking of BDI programs. For instance, lfT4l shows how to use the SPIN 
model checker 15^ to verify properties of finite-state AgentSpeak programs. 1351431 
compile BDI programs and agent properties to verify into Java and use JPF 1871 to 
model check them. 1^ develops MCMAS, a symbolic model checker specifically for 
multi-agent systems. la develops a theorem proving-based verification framework for 
BDI programs that uses a PDL-like logic. 


In the situation calculus, there is also some previous work on verification. Per¬ 
haps the first such work is l33l . where verification of possibly non-terminating Golog 
l58l programs is addressed, though no effective techniques are given. Focusing on the 
propositional situation calculus (where fluents have only the situation as argument), 
l85l presents decidable verification techniques. In l48l . these techniques are general¬ 
ized to a one-object-argument fluents fragment of the situation calculus, and in 14^ 
to theories expressed in two-object-argument fragment. Techniques for verification re¬ 
sorting to second-order theorem proving with no decidability guarantees are presented 
in I81I82I . where the CASLve verification environment for multi-agent ConGolog l26l 
programs is described. In l22l . characteristic graphs for programs are introduced to 
define a form of regression over programs to be used as a pre-image computation step 
in (sound) procedures for verifying Golog and ConGolog programs inspired by model 
checking. Verification of programs over a two-variable fragment of the situation cal¬ 
culus is shown to be decidable in l2^ . l54l establishes conditions for verifying loop 
invariants and persistence properties. Finally, 011771 propose techniques (with model¬ 
checking ingredients) to reason about infinite executions of Golog and ConGolog pro¬ 
grams based on second-order logic exploiting fixpoint approximates. 

More recently, work closely related to ours 027I28I3OI291 has shown that one gets 
robust decidability results for temporal verification of situation calculus action theories 
under the assumption that in every situation the number of object tuples forming the ex¬ 
tension of each fluent is bounded by a constant. In particular, lIZTl introduced bounded 
situation calculus basic action theories; ll27l however, assumes standard names for the 
object domain and, more significantly, disallows quantification across situations in the 
verification language. In the present paper, which is a direct extension of 1221, both of 
these limitations are removed. In 1281 an extended language with an explicit knowledge 
operator was considered, while in 1 ^ online executions (i.e., executions where the 
agent only performs actions that it knows are executable) and progression are studied; 
like Ca, these papers also assume standard names and rule out quantification across 
situations from the verification language. Il29l addresses verification over online ex¬ 
ecutions with sensing in bounded situation calculus theories, adopting as verification 















language a first-order variant of Linear Temporal Logic (FO-LTL), again without quan¬ 
tification across situations. 

The work in this paper is also closely related to Qol . There, an ad-hoc formalism for 
representing action and change is developed with the purpose of capturing data-aware 
artifact-centric processes. This formalism describes action preconditions and postcon¬ 
ditions in first-order logic, and induces genericity 12 — there called uniformity — 
on the generated transition system. Intuitively genericity requires that if two states are 
isomorphic they induce the “same” transitions (modulo isomorphism). This means, in 
particular, that the system is essentially Markovian GS. As verification language, they 
consider FO-CTL, a first-order variant of CTL that allows for quantifying across states 
without requiring object persistence, as, instead, we do here. Their results imply that 
one can construct a finite-state transition system over which the FO-CTL formula of 
interest can be verified. However, differently from our case, such a transition system 
depends also on the number of variables in the formula. While also bounded situation 
calculus action theories enjoy genericity, it is easy to see that, without assuming object 
persistence, we immediately lose the possibility of abstracting to a finite transition sys¬ 
tem independently from the formula to verify. This is true even if we drop completely 
fixpoints. Indeed, assume that we have an action replaces an object in the active domain 
by one in its parameters. Then, without persistence, for any bound n over the number of 
objects in a candidate finite abstraction, we can write a (fixpoint-free) formula saying 
that there exists a finite run with more than n distinct objects: 

3a;i.LlVE(a::i) A (—)(3a:2.LlVE(a;2) /\ X2 xi /\ 

(-)(3a::3LIVE(a;3) A X 3 ^ cci A X 3 X 2 A 


( ) ) A Xn-\-\ Xi A * * * A Xji-\-i Xy^))) 

Obviously, this formula is false in the finite abstraction, while true in the original tran¬ 
sition system, where objects are not “reused”. Notice that the formula belongs also to 
FO-CTL and this limitation applies to ifTOl as well. This observation shows that the per¬ 
sistence condition is crucial to get an abstraction that is independent from the formula. 

It is interesting to observe that while dropping persistence is certainly a valuable 
syntactic simplification, the deep reason behind it is that generic transition systems, 
including those generated by situation calculus basic action theories, are essentially 
unable to talk about objects that are not in the current active domain. If some object 
that is in the active domain disappears from it and reappears again, after some steps, the 
basic action theory will treat it essentially as a fresh object (i.e., an object never seen 
before). Hence, any special treatment of such objects must come from the formula we 
are querying the transition system with: for example, we may isolate runs with special 
properties and only on those do verification. The fact that FO-CTL can drop persistence 
while maintaining decidability of verification over generic transition systems tells us 
that FO-CTL is not powerful enough to isolate interesting runs to be used as a further 
assumption for verification. 

The results in this paper are relevant not only for AI, but also for other areas of com¬ 
puter science (CS). There is some work in CS that uses model checking techniques on 
infinite-state systems. However, in most of this work the emphasis is on studying recur¬ 
sive control rather than on a rich data oriented state description; typically data are either 


ignored or finitely abstracted, see e.g., ca. There has recently been some attention 
paid in the field of business processes and services to including data into the analysis of 
processes II53I45I38L Interestingly, while we have verihcation tools that are quite good 
for dealing with data and processes separately, when we consider them together, we get 
infinite-state transition systems, which resist classical model checking approaches to 
verification. Only lately has there been some work on developing verification techniques 
that can deal with such infinite-state processes 036I4I9I5I1O1 . In particular, the form of 
controlled quantification across situations in our /iLp language, which requires object 
persistence in the active domain, is inspired by the one in 0, which in turn extends 
the verification logic presented in ll27l . There, the infinite-state data-aware transition 
systems (with complete information) to verify are defined using an ad-hoc formalism 
based on database operations, and the decidability results are based on two conditions 
over the transition systems, namely run-boundedness and state-boundedness. The latter 
is analogous to our situation-boundedness. In this paper, we make the idea of bounded¬ 
ness flourish in the general setting offered by the situation calculus, detailing conditions 
needed for decidability, allowing for incomplete information, and exploiting the rich¬ 
ness of the situation calculus for giving sufficient conditions for boundedness that can 
easily be used in practice. Such results can find immediate application in the analysis 
of data-aware business processes and services. 


11 Conclusion 

In this paper, we have defined the notion of bounded action theory in the situation cal¬ 
culus, where the number of fluent atoms that hold remains bounded. We have shown 
that this restriction is sufficient to ensure that verification of an expressive class of tem¬ 
poral properties remains decidable, and is in fact EXPTIME-complete, despite the fact 
that we have an inhnite domain and state space. Our result holds even in the presence of 
incomplete information. We have also argued that this restriction can be adhered to in 
practical applications, by identifying interesting classes of bounded action theories and 
showing that these can be used to model typical example dynamic domains. Decidabil¬ 
ity is important from a theoretical standpoint, but we stress also that our result is fully 
constructive being based on a reduction to model checking of an (abstract) hnite-state 
transition system. An interesting future enterprise is to build on such a result to develop 
an actual situation calculus verification tool. 

A future research direction of particular interest is a more systematic investigation 
of specification patterns for obtaining boundedness. This includes patterns that provide 
bounded persistence and patterns that model bounded/fading memory. These questions 
should be examined in light of different approaches that have been proposed for mod¬ 
eling knowledge, sensing, and revision in the situation calculus and related temporal 
logics II78I34I83I37I . This work has already started. In particular, as mentioned earlier, 
the approach of this paper has been extended in II30I29I to allow verification temporal 
properties over online executions of an agent, where the agent may acquire new in¬ 
formation through sensing as it executes and only performs actions that are feasible ac¬ 
cording to its beliefs. In that work, the agent’s belief state is modeled meta-theoretically, 
as an action theory that is progressed as actions are performed and sensing results are 










obtained. In ESll . temporal epistemic verification is tackled within a language-theoretic 
viewpoint, where the situation calculus is extended with a knowledge modality ll78l . 
The form of boundedness studied in that case requires that the number of object tuples 
that the agent thinks may belong to any given fiuent be bounded. In II30I29L instead, it 
is only required that number of distinct tuples entelied to belong to a fiuent is bounded, 
while the number of tuples that are in the extension of a fiuent in some model of the the¬ 
ory need not be bounded. More work is needed to fully reconcile these meta-theoretic 
and language-theoretic approaches. 

Finally, an important topic for future work is to tackle verification of agent pro¬ 
grams 133], possibly expressed in a situation calculus-based high-level language like 
Golog ll58l or ConGolog 1261 . Some cases where verification of ConGolog programs 
is decidable are identified in E^ . It woud be interesting to extend our framework to 
support such a form of verification as well. This is not immediate, as a temporal prop¬ 
erty may hold over all executions of a program without holding over all branches of the 
situation tree. To extend our approach to programs, we need to ensure that not just the 
agent’s beliefs but the whole program configuration remains bounded. 
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